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Smarter technology for a Smarter Planet: 


Thinking outside the box 
depends on what’s in the box. 


The systemic inefficiencies in many server rooms today, in terms of both energy 
consumption and utilization, are becoming unsustainable. It isn’t simply a question 
of cost — it’s also about maintaining day-to-day operations. A recent study found 
that an estimated half of all businesses experience IT outages due to power and 
cooling issues.' 


As we build out the infrastructure of a smarter planet, companies need to consider 
not only how much power is under the hood of their next server purchase, but 
also how much energy will be consumed to provide that power. That’s where 
smarter tools like the IBM BladeCenter® HS22 come in. It’s designed to give you 
greater efficiency at every level, from its highly efficient design and Intel® Xeon® 
Processor 5500 Series to its advanced management software like IBM Systems 
Director that actively monitors and limits power consumption. All of which can 
add up to 93% in energy savings over the previous generation of rack servers. 


L earn how you can see a return on your investment in as little as three months 2 


at ibm.com/hs22 


Systems, software and services for a smarter planet. 
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at www,lbm,eom/le0a^ Intel, !he Intel logo. Kean end Kean Inside are trademarks or registered trademarks ol Intel Corporation in the United Stales and other countries, © International 
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Crockett 

"The stakes can be high when you're 
considering virtualization options 
for your organization." 



The Virtualization Stakes 

Use unbiased resources to research the field 


I f you like putting a little money down at the horse track, 
you're probably enjoying watching the virtualization 
technology stakes as Microsoft trots out Hyper-V R2. 
Microsoft's virtualization offering is quickly becoming 
a serious contender in the field, along with VMware's 
offerings. 

The Stats 

According to a recent Windows IT Pro Instant Poll, most of our read¬ 
ers are using some flavor of virtualization—about 50 percent use 
VMware ESX Server, 24 percent use Microsoft Hyper-V technology, 
9 percent use both ESX and Hyper-V and a fairly impressive 6 percent 
use Citrix XenServer. Only 11 percent of respondents indicated that 
they didn't use virtualization technology at all. 

According to the most recent Windows IT Pro reader survey, IT 
pros are using virtualization in a variety of ways, including testing, 
server consolidation, application virtualization, backup and disaster 
recovery, development, legacy application hosting, database virtu¬ 
alization, and desktop virtualization. Reader Jon Bjerke's comment 
posted in response to Paul Thurrott's article, "Doing More with Less 
in 2010" (www.windowsitpro.com, InstantDoc ID 103394), provides 
an example that's typical of the collective enthusiasm expressed 
about virtualization: "Virtualization is the way to go. It simplifies 
management, security, and recovery. Take a small business: If you 
run ESXi or Hyper-V (both free), you simplify recovery. All I have 
to do is load the hypervisor software on a new server—[it] doesn't 
matter if it's the same brand or model—copy the VM back over, 
power the VM back on, and they are back in business." 

But the debate still rages over which platform is best, and the only 
point that nearly everyone can agree on is that IT pros need to carefully 
evaluate their environment and their business objectives to choose 
the best solution. Reader Brad Kulick argued in Letters: "Virtualization 
Preference" (January 2010, InstantDoc ID 103208) that both Microsoft 
and VMware virtualization offerings are "worthy of consideration, but 
to say that they're nearly the same is bewildering." 

Resources Galore 

So how do you sort out the claims for yourself? Windows IT Pro has 
a few resources you can use to get an unbiased assessment. One is 
the Virtualization Faceoff site at www.windowsitpro.com/faceoff. 
You'll find a couple of blogs written by Sean Deuby and Satish Jakka, 
both consultants with Seatde-based Advaiya. These blogs cover both 


VMware and Microsoft technologies, and both writers welcome 
comments and questions. You can also download a PDF version of 
the virtualization architecture poster that appeared in the February 
issue of Windows IT Pro. And coming soon, we'll have video inter¬ 
views with representatives and users of both technologies. 

Another upcoming opportunity is Windows IT Pro's first 
VirtualizationPro Summit, March 16-19 at the Bellagio in Las Vegas. 
This conference will be an agnostic forum for learning in-depth 
about cross-platform virtualization technologies, with content 
geared toward helping you evaluate your needs and compare tech¬ 
nologies. Summit speakers include authors whose names Windows 
IT Pro readers will recognize: Michael Otey, technical director, will 
do a technical tear-down of ESX Server and Hyper-V, as well as 
VMware vSphere versus Microsoft System Center Virtual Machine 
Manager. He'll also demonstrate Live Migration step by step. John 
Savin's session on exploring high virtual machine (VM) densities will 
help you determine how many VMs you can cram on a single box. 
Alan Sugano will demonstrate VMware vSphere 4.0 door-to-door, 
and Greg Shields will look at VMware ESX security. Keynote speaker 
Steve Riley, an evangelist for Amazon Web Services, will talk about 
the intersection of virtualization and cloud computing. Speakers 
from Microsoft and VMware will also present deep-dive sessions 
about their technologies. The conference will bring together a com¬ 
pelling group of cross-platform experts who can probably answer 
any question you have about virtualizing your environment. 

As always, Windows IT Pro will continue to cover virtualiza¬ 
tion from all angles—for example, check out Jan de Clercq's 
"Windows Server 2008 Hyper-V Security," page 37, InstantDoc ID 
103406. You can bookmark our virtualization content page (www 
.windowsitpro.com/virtualization); on this page, editor Zac Wiggy 
compiles virtualization resources from across our network and 
presents the latest news, technical articles, and product briefings 
to help you sort through the virtualization hype. 

No matter which horse you put your money on, the stakes can be 
high when you're considering virtualization options for your organi¬ 
zation. Windows IT Pro's resources can help you study the field and 
make the right choice. ^ 

InstantDoc ID 103476 
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Polling Your Messaging Needs 

I'm responding to the January 7 Instant Poll 
question, "With the growing acceptance of 
cloud computing, how do you anticipate 
handling your messaging needs in the 
coming year?"The primary reason why I 
chose the response, "Continue to operate 
an in-house deployment of Exchange," is 
not because I don't trust the cloud environ¬ 
ment but because I don't trust the overall 
speed and redundancy of my Internet con¬ 
nection. Now, reliability is a different story. I 
have a 3MB AT&T circuit that has been 100 
percent reliable but is still far slower than 
our internal 100/1000 network. 


SharePoint Security Practices 

In his article "Essential SharePoint Security 
Practices: SharePoint Users and Groups" 
(January 2010, InstantDoc ID 103093), Randy 
Williams writes, "When you create a site 
collection, you must specify at least one but 
no more than two users who will become 
the site collection administrators." Later, 
he writes, "If you want more than two site 
collection administrators, you can add the 
users (or AD groups) to the SharePoint group 
called Owners." But if you go to the top site 
of any MOSS site collection and open Site 
Actions, Site Settings, Modify All Site Set¬ 
tings, you'll see a Site collection administra¬ 
tors option, with which you can specify a lot 
of users (more than two). Aren't those the 
same site collection administrators? 


My company has only 70 users, but 
almost all of them rely on the internal public 
calendars we've set up on the Exchange 
server. I wouldn't want to place that kind of 
additional burden on a single Internet con¬ 
nection, regardless of the fact that we still 
really have a single point of failure with the 
Exchange server itself. At this point, I trust 
my internal environment more than I trust 
an external connection. 

Thank you for continuing to produce 
excellent newsletters and technology 
material (and that includes all of Windows 
ITPro ). 


Great question! Site collection administra¬ 
tors are the same whether you set them 
from Central Administration (which is where 
you're limited to two) or from the Site Collec¬ 
tion Administrators link from within the top 
level website in a site collection. And yes, you 
can set more than two from this latter link. 
Unfortunately, neither of them allows group 
memberships, which was part of the point I 
was trying to make. 

—Randy Williams 

Dual-Booting Windows XP and 
Windows 7 Is Easy! 

I disagree with Michael Otey in "Upgrading 
from Windows XP to Windows 7" (January 
2010, InstantDoc ID 103144). Creating a 
dual-boot Windows 7/XP system is simple, 
and it's an excellent way to ease in to a 


SharePoint MVPs Offer 2010 
Predictions 

I always read Dan Holme's SharePointPro 
Connections newsletter. In his 
December 28 installment, he wrote, 

"Asif Rehmani predicts that SharePoint 
Designer 2010 will be a Game Changer." 

I agree that it will be a game changer- 
specifically in areas outside SharePoint. 
SharePoint Designer was originally posi¬ 
tioned as the next version of Microsoft 
FrontPage. The 2007 version of Share- 
Point Designer supported the editing 
of non-SharePoint-based sites (e.g., flat 
HTML pages). In addition, Microsoft 
made the software available to down¬ 
load for free, and many FrontPage users 
selected the free SharePoint Designer 
tool to manage their websites. 

But SharePoint Designer 2010 no 
longer supports the maintenance of 
non-SharePoint-based sites. Microsoft 
recommends Microsoft Expression 
(which, naturally, is no longer for free) for 
that purpose. Microsoft has once again 
changed its licensing model on the fly. 

—Stefan Schwarz 

transition from the older OS to the new 
one. 

Start by getting a second hard drive. If C is 
where XP lives, and D is your CD/DVD drive, 
assume the new drive will be E. I suggest 
renaming C"Windows XP";you'll rename 
E "Windows 7" later. Begin the installation of 
Windows 7 (while running XP). When the sys¬ 
tem asks you where to install it, choose your 
now-empty new disk. After the build and 
reboot, you should see a dual-boot screen 
offering you a choice of Windows 7 and your 
"previous version of Windows" (you'll fix that 
name shortly). Choose Windows 7. 

You'll notice that Windows 7 is running 
on the C drive, but this isn't the drive that 
XP called C. Rename this drive "Windows 7." 
You might find it helpful to go into Disk 
Management and rearrange drive letters 
so that they have a similar pattern to what 
you previously had in XP. Make D the CD/ 
DVD drive, and make E "Windows XP" (for¬ 
merly C). Now everything is symmetrical, no 
matter which OS you use. 


—Rustam Sharshenov 


Windows IT Pro welcomes feedback about the magazine. Send comments to letters@windows 
itpro.com, and include your full name, email address, and daytime phone number. We edit all 
letters and replies for style, length, and clarity. 


—Tim White 
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To improve the dual-boot experience, I rec¬ 
ommend NewSmart Technologies' EasyBCD 
utility (neosmart.net). The software lets you 
rename "Previous version of Windows" (on the 
dual-boot screen) to "Windows XR'It also lets 
you back out of the Windows 7 installation. By 
choosing the Uninstall the Vista Bootloader 
option (under Manage Bootloader), you can 
remove the code that does the dual-boot 
stuff, leaving you with your original XP setup 
(and the inability to boot Windows 7). 

I used precisely this scheme when testing 
the prerelease versions of Windows 7. When I 
was ready to install the real version, I saved my 
files, removed Windows 7, and returned to XP. 

I then reformatted what was now E (and was 
identified as the Windows 7 disk, for safety), and 
reinstalled. I have a few routines that won't run 

Virtual Windows 7 

I've read John Savill recent FAQs on 
Windows 7 and XP. I'm wondering whether 
a new Windows 7 machine can still have 
a virtual disk running XP, and would that 
be any different in function than using 
Windows 7 to run XP programs in a com¬ 
patibility mode? My XP machine crashed, 
and there are some XP programs that 
simply won't run under the compatibility 
mode in Windows 7. (I had to buy that new 
machine and could only get Windows 7.) 

—Michael A. Conrad 

With Windows 7, we effectively have two 
very different compatibility modes (poten¬ 
tially three). First, we have the standard 
Compatibility tab for applications that 
we've also had in previous OSs. It essen¬ 
tially "lies" to the application about the OS 
and service pack it's running on and can 
also hide/disable elements of the OS that 
might cause problems with the application. 
These configurations (lies) are known as 
shims. We can make some apps work on 
Windows 7 by using these shims, and that's 
generally the optimal solution, if possible. 
Ultimately, however, the application is still 
running on Windows 7 and the architecture 
(e.g., 64-bit) of the Windows 7 installation. 

Microsoft introduced Windows XP 
Compatibility Mode for instances in which 
the Compatibility tab doesn't work for an 
application in Windows 7. All this mode does 
is install Windows Virtual PC, along with a 


on Windows 7 (or Windows Vista), so I've kept 
the dual-boot scheme, which doesn't really 
cost me anything (except some disk space). 

—Robert Schor 


Bit Flips 

Ryan Mangipano's"Bit Flips: Was That a Zero 
or a One" (What Would Microsoft Support 
Do, January 2010, InstantDoc ID 103154) is 
a great article! Not only did Mangipano do 
a great job explaining registers and deref¬ 
erencing in a short, compact article (which 
I have seldom seen done so smoothly), but 
it was also a nice walkthrough for IT pros 
familiar with the hardware but curious about 
how the Windows dump files work. Thanks 
for the great read! 

—bhellquist 

Microsoft-created XP image into which you 
can install applications. The application- 
integration feature then allows the programs 
running in the XP virtual machine (VM) to 
seamlessly appear on the main Windows 7 
desktop, so the average user doesn't know 
the application is actually running in a VM. 
With this technology, the application is run¬ 
ning on a 32-bit Windows XP OS installation, 
which means any application that works 
with XP should work in the Windows XP 
Compatibility Mode VM. 

The third option is essentially the 
same as the second: You install Windows 
Virtual PC, but you don't use the Microsoft 
Windows XP image. You can use your own 
XP, Vista, or Windows 7 image to run appli¬ 
cations. The seamless application integra¬ 
tion is still available with this approach 
(once the integration tools are installed) 
and just gives you more flexibility. If you roll 
out Windows 7 64-bit and have applica¬ 
tions that don't run on a 64-bit OS (perhaps 
they have 16-bit code), you can run those 
applications in the 32-bit VM. 

To summarize, the traditional Compati¬ 
bility mode tab merely imitates certain 
aspects of an older OS to the application, 
but it's still running on Windows 7. With 
the XP Compatibility Mode (or any virtual 
mode), the application is actually running 
on that virtual OS and should run any 
application. Hope this clears things up! 

—John Savill 
InstantDoc ID 103507 
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Your guide to sponsored resources 

VirtualizationPro 
Summit & Expo—March 
16-19,2010-Bellagio, 

Las Vegas, NV 

Your destination to learn everything you need to 
deploy, configure, secure, optimize, and manage 
virtualization technology. Join experts on both 
Microsoft and VMware solutions. Choose from over 
25 sessions and workshops. The VirtualizationPro 
2010 Summit & Expo lineup features keynote 
speakers Steve Riley (Amazon), Edwin Yuen 
(Microsoft), and Jack Lo (VMware) and presenta¬ 
tions from virtualization experts such as Michael 
Otey, John Savill, Dan Holme, Don Jones, Greg 
Shields, and Alan Sugano. Register today! 
VirtualizationProSummit.com 

How You Can Be More 
Green with Your Computing 

Organizations can reduce their overall impact 
on the environment by judicious application of 
technologies such as power plans, migrating fax, 
implementing virtualization, and moving towards 
more efficient client hardware platforms. Listen to 
this podcast to learn more. 
windowsitpro.com/go/GreenlT101Podcast 

Backups—Do We Even 
Know How to Use Them? 

Many companies perform basic system level 
backups and have never tried to actually use their 
backup nor understand the correct process. In this 
session we explore the importance of application- 
aware backup, which enable very granular levels 
of restoration but also best practices around when 
to backup, what to backup, how restore processes 
work for many different scenarios and how we 
should be testing them regularly. 

I windowsitpro.com/go/Backupl 01 ^ 
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Thurrott 

"Android is especially attractive to those 
businesses that have opted out of 
on-premise servers and have instead 
adopted Google-based cloud services." 


NEED TO KNOW 


What You Need to Know About Google Android 


I n the beginning, there was the BlaclcBerry, the push- 
email device from Research in Motion (RIM), which 
set the standard for corporate mobility. And of course, 
Microsoft's own Windows Mobile system has long offered 
push-email and Microsoft Exchange compatibility as 
well. But with consumer-oriented devices such as Apple's 
wildly popular iPhone slipping into the boardroom, there's an 
opening for other smartphones, like those based on Google 
Android, to do so as well. Here's what you need to know about 
Google Android. 

Smartphone Platform 

Android is surprisingly similar to Windows Mobile on many 
levels, but it features a more modern architecture and provides 
a native touch screen interface that's more like the iPhone. 
(Though Windows Mobile 6.5.x does support multi-touch, as 
does the iPhone.) It's based on a Linux kernel and runs man¬ 
aged code applications created with the Java programming 
language. 

Unlike Windows Mobile and iPhone, Android is an open 
system. And Google provides Android to wireless carriers and 
mobile device makers for free. As a result, there are already over 
30 Android-based devices worldwide, despite the fact that Android 
has only been on the market for less than 18 months. At this time, 
at least one Android handset is available from every major wire¬ 
less carrier in the US, including the popular Verizon Droid, and 
Google's own Nexus One phone, which the online giant sells 
directly to users from its website. 

This variety of devices works similarly to the range of choices 
one sees with Windows Mobile devices but with some important 
differences. First, Android phones tend to come in two basic 
form factors: pure touch-screen devices and devices with pullout 
hardware keyboards. What's missing is a BlackBerry-style thumb 
keypad-based device, though there's nothing stopping third par¬ 
ties from making one. And because of Android's open nature, 
any Android user can take advantage of software updates and 
new OS versions, something that's very difficult with Windows 
Mobile. 

And Android has seen several updates since its first release in 
October 2008. These updates have caused Android to mature quite 
rapidly, and the system is now considered to be quite compatible, 
functionality-wise, with iPhone, while offering low-level capa¬ 
bilities like multi-tasking that the iPhone lacks. Key updates since 


the initial release include system-wide copy and paste, HTML 5 
support, multi-touch support, and, in version 2.x, compatibility 
with Exchange. It's this capability that makes Android interesting 
to businesses. 

Android In Business 

While a Google phone platform such as Android would logically be 
expected to integrate nicely with Google's Gmail, Google Calendar, 
and Google Docs systems, Google has also been working to add 
Exchange functionality to its OS. This work is not yet complete. 
In the most recent version of the Android OS, Google provides 
core Exchange sync capabilities for email, contacts, and calendar¬ 
ing. But Android doesn't yet support Microsoft's sweeping set of 
ActiveSync security policies—for complex password requirements, 
device-level encryption, and so on—nor does it support remote 
wipe. Until these capabilities are added to Android, the system will 
be unacceptable for the enterprise. 

That said, Android will likely see great traction with smaller 
businesses, and it's an excellent solution for those businesses that 
are based around Google's hosted services. As was the case with 
the iPhone, you can expect Google to improve Android's Exchange 
functionality and make the system a more acceptable alternative 
to Windows Mobile or BlackBerry in businesses of all sizes. 

Third parties could rise to the challenge as well, including 
wireless carriers or device makers that wish to serve this market. 
T-Mobile, for example, has released an Android application that 
helps encrypt on-device email, plugging one hole in the core OS. 
But it's unclear how effective a modified Android device will be in 
attracting larger corporations. 

Recommendations 

Although Android is a surprisingly strong entry so early in its 
lifecycle, I can't yet recommend any Android-based smartphones 
to enterprises because of the lack of key security features. But I 
expect that this will change rapidly, and for those smaller busi¬ 
nesses that are looking for cool and functional smartphones, 
some of the newer Android designs are quite enticing. Android 
is especially attractive to those businesses that have opted out 
of on-premise servers and have instead adopted Google-based 
cloud services. This, too, is a growing audience, and one that 
Google will likely have great success capturing. This is a system 
to keep an eye on. 

InstantDoc ID 103425 
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NEED TO 


KNOW ■ 


What You Need to Know About Windows Mobile 6.5 
and Beyond 


Microsoft has come under fire from the tech 
press and blogging community for its lack¬ 
luster Windows Mobile 6.5 release. But this 
smartphone OS is a work in progress. Sub¬ 
sequent updates that should ship with new 
devices by the time you read this should close 
the functional gap with industry darlings like 
the iPhone and Google Android. (Windows 
Mobile already offers decent competition for 
RIM's BlackBerry systems, in my opinion.) 
Here's what you need to know about Win¬ 
dows Mobile 6.5 and 6.5.x (as of press time, 
the version number hadn't been finalized), 
and why I don't think it's time to write off 
Microsoft in the mobile space quite yet. 

A Functional New Front End 

Windows Mobile 6.5 shipped on a handful of 
devices in October 2009. The 6.5 release was 
a direct follow-up to Windows Mobile 6.1, 
and although Microsoft now admits it wishes 
it had had more time in which to develop 
6.5, the company did what it could given the 
short development time. Windows Mobile 

6.5 offers the following major changes. 

Multi-touch. Windows Mobile 6.5 sup¬ 
ports touch and multi-touch natively and 
includes several front-end interfaces, 
described below, that assume this style of 
interaction (in lieu of the old-fashioned 
stylus-based interface that older Windows 
Mobile versions were based on). However, 
its touch support is only skin deep. If you 
navigate into the UI, you find screens and 
interfaces that date back to the days of the 
Pocket PC and aren't touch friendly at all. 

New lock screen. The Windows Mobile 

6.5 lock screen by default displays the date, 
time, and the next meeting or other sched¬ 
uled item in your calendar. But it also sur¬ 
faces notifications as they arrive, and these 
notifications appear individually on the 
screen, each with a swipe-able unlock but¬ 
ton. You can unlock the screen and go right 
to text messages or new email. This feature 
is missing from the iPhone and is actually a 
big usability win for Windows Mobile. 

Today screen. The Windows Mobile 6.5 
Today screen features an attractive and use- 
able design that evokes the "crossbar" UI 


from previous Windows Mobile versions. It 
features large, text-based menu items that 
support full touch gestures with realistic 
onscreen effects such as menus that slide 
and bump when they stop moving. So you 
can stop on any item, then scroll left or right 
by using a flicking motion. This excellent 
and proven UI lets you access more of the 
phone's functionality directly from this single 
interface. I like it, and as with the Lock screen, 
it's a nice innovation for which Microsoft has 
received litde credit. 

Start screen. In Windows Mobile 6.5, 
Microsoft finally retires the pulldown Start 
Menu and replaces it with a full-screen Start 
screen that, like the new Today screen, is 
more finger-friendly. It provides access to all 
of the phone's applications, plus the usual 
assortment of utilities and system folders, 
and it minimizes the need to dive into the 
interior of Windows Mobile, where the UI 
hasn't changed. 

Soft menus. In keeping with the touch- 
friendly nature of 6.5, Microsoft has also 
updated the look and feel of the context- 
sensitive soft menus. The Today screen, for 
example, provides soft menus for Contacts 
and View. If you receive a phone call notifi¬ 
cation while using the phone, you'll see the 
View and Dismiss soft menus. 

Improved Internet Explorer. In res¬ 
ponse to the iPhone's desktop-like Safari 
browser, Windows Mobile 6.5 includes a 
new Mobile IE version that uses the render¬ 
ing engine from IE 6 for Windows. It sup¬ 
ports Flash Lite, which the company says 
lets you complete almost 50 percent more 
web tasks than with the Flash-less iPhone 
Safari, and it features a nice UI. You'll see 
a single, circular (finger-shaped) button in 
the lower right of the screen. Tap it and four 
menu buttons—Back, Favorites, Keyboard, 
and Search—appear. Let go and they fade 
away. IE 6 Mobile can render sites in either 
their mobile (default) view or as a desktop 
browser would. 

Looking Beyond 6.5 to 6.5.x 

Before it delivers Windows Mobile 7, 
Microsoft will deliver two interim updates, 


both tied to device releases, which will 
complete the Windows Mobile 6.5.x series 
of updates. Unfortunately, most users with 
existing Windows Mobile 6.5 devices will 
not be able to update to newer versions of 
the 6.5.x software. Check with your wireless 
carrier or device maker to see whether your 
device will support updates. 

Capacitive screen support. Windows 
Mobile 6.5 devices that shipped in October 
2009 and shortly thereafter came with lack¬ 
luster non-capacitive screens. They force 
the user to push harder on the glass to scroll 
items, and often cause icon click misfires. 
Microsoft added capacitive screen support in 
the first post-6.5 update, and the first device 
to include this support, the HTC HD2, is 
available. The change is stunning: Windows 
Mobile devices that utilize a capacitive touch 
screen are much easier to use. 

Full touch interface. Windows Mobile 

6.5 offered elegant touch interfaces only on 
surface screens. Starting with the second 
generation of 6.5 devices shipping in the 
first half of 2010, more UIs will be as touch 
friendly as the surface UIs. 

Recommendations 

Windows Mobile 6.5 had too many func¬ 
tional holes, but subsequent updates, plus 
existing business-related features, make 
this release more competitive with iPhone 
and Android handsets. When you com¬ 
bine these features with new multi-touch 
capabilities and a capacitive screen-based 
design, you've got a winner. There's no 
reason to wait for Windows Mobile 7: Win¬ 
dows Mobile 6.5 is already up to the task, 
assuming you get a device with the latest 
software. But I'd skip the first-generation 
software from late 2009, unless you prefer 
non-touch-screen devices. ^ 
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Next Generation of Total Malware Protection 



The configurable Command Center puts all the 
information you need in one place. Manage individual 
agents, quarantines, threats, and more. 


Until now, antivirus engines have been Frankenstems, bolted together 
from bits and pieces of different products. They re slow, full of bugs, and 
hard to manage. 

VIPRE Enterprise is a revolutionary new approach. It's built from scratch as the 
all-in-one antivirus, antispyware, anti-rootkit solution that gives you complete 
endpoint malware protection without hogging resources! It's fast, powerful 
and easy. 

Plus, advanced anti-malware technology protects your system 
against the new wave of malware threats. No more juggling 
multiple programs. No more dealing with user complaints 
about slow workstation performance. 



CPU % Used During Scan 
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How does your current software compare? 

VIPRE Enterprise scans at a brisk 13.95 MB/sec and 
uses just 27% of CPU an d 50 M B of RAM. I n id le, it 
uses a mere 133 MB RAM with a disk footprint of just 
113 MB. Youll hardly notice lt r s running! 



Sunbelt Software 


► COMPLETE! All-in-one protection from today's malware. 

► FAST! High-performance and low impact on system resources. 

► EASY! Manage everything easily from one command screen. 

• RELIABLE! Configurable, real-time monitoring technology. 

* AFFORDABLE! Ask for a quote with our 50% competitive 
upgrade discount! 


Why struggle with slow resource hogs when you can manage 
ALL your malware threats with one fast, easy application? 


Curious? Download your FREE copy of VIPRE Enterprise and 
gi ve it a test drive. 
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When you compare VIPRE Enterprise to Symantec, McAfee, 
Trend Micro or whatever antivirus program you're using, you 
WILL want to switch! Don't worry, though.You can get VIPRE 
Enterprise with a 50% competitive upgrade discount! 
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VIRUS 


| vimsbtn.com J 


Plus we will buy out your existing maintenance contract for 1 year! 

www.TestDriveVipre.com 

Sunbelt Software Tel: 1-888-688-8457 or 1-727-562-0101 Fax: 1-727-562-5199 www.5unbeltSottware.com salesj r sunbeltsoftware.com 
© 2009 Sunbelt Software. All rights reserved. VIPRE Enterprise is a trademark of Sunbelt Software. m trademarks used are owned by their respective owners. 
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WINDOWS POWER TOOLS 


Minasi 

"Don't let the prospect of learning 
37 commands scare you away 
from Diskpart!" 



Initializing Windows Disks with Diskpart 

This oft-forgotten tool is indispensable when you're building systems 


O ne of Windows' essential command-line utilities is 
Diskpart. The tool lets you partition, format, initial¬ 
ize, and resize drives, set up RAID, and more—and in 
Windows 7 and Windows Server 2008 R2, it lets you 
work with virtual disks. I find Diskpart indispensable 
when building systems, so let's dig in and see howto use 
Diskpart to wipe a hard disk clean, partition the disk, and format it. 

At the command line, type diskpart and press Enter. Once 
you're in the tool, you'll see that Diskpart has its own command 
prompt. Diskpart is essentially its own command environment— 
sort of a command line interface (CLI) inside a CLI. Typing help 
(or any invalid command) and pressing Enter causes Diskpart to 
display about three dozen commands, but don't let the prospect 
of learning 37 commands scare you away from Diskpart, because 
you'll actually perform 99 percent of your Diskpart work with 
about eight commands. 

As you know, if you've ever initialized a disk from the Logical 
Disk Manager GUI, you first click on the physical disk drive, then 
create a partition (or partitions) on it, then format those partitions 
and typically give them letters. Diskpart follows the same pattern, 
requiring you to select a disk before you create partitions, then 
requiring you to select a partition before formatting it, and so on. 
To select a particular disk, you type a command that looks like 

select disk <disknumber> 

but which number is the disk you want to work on? Find out by typing 
list disk, which gives you output that looks like Figure 1. Diskpart num¬ 
bers disks starting from zero rather than one, and you can see that both 
drives store their partition information on the master boot record (MBR) 
rather than a GUID partition table (GPT), and both disks are basic rather 

than dynamic 
(no values in 
the Dyn and Gpt 
columns). 

Now, I'll 
complicate the 

problem by saying that this system has two 24GB drives—one 
holds the OS and applications, and the other is just an extra drive 
for holding data. Clearly, you don't want to accidentally wipe the 
OS's drive, so how do you know which is which? You use select disk, 
along with detail disk. Let's start with disk 0 and see what's on it: 

select disk 0 
detail disk 


Disk 

### 

Status 

Size 

Free 

Disk 

0 

Online 

24 GB 

1024 KB 

Disk 

1 

Online 

24 GB 

0 B 


Figure 1: List Disk Output 


VMware Virtual IDE Hard Drive ATA Device 

Disk ID 

F1B17FB3 

Type 

ATA 

Status 

Online 

Path 

0 

Target 

0 

LUN ID 

0 

Location Path 

PCIROOT(0)#PCI(0701)#ATA(C00T00L00) 

Current Read-only State 

No 

Read-only 

No 

Boot Disk 

No 

Pagefile Disk 

No 

Hibernation File Disk 

No 

Crashdump Disk 

No 

Clustered Disk 

No 

Volume ### Ltr Label 

Fs Type Size Status Info 

Volume 1 E New Volume NTFS Partition 23 GB Healthy 


Figure 2: Detail Disk Output 


That provides output that looks like Figure 2. Disk 0, then, 
is—surprisingly—the data disk, and therefore disk 1 must be the OS 
disk. So, you've got your sights on the correct disk (disk 0). Next, let's 
wipe the disk clean by typing clean. Doing so doesn't really wipe a disk 
clean by overwriting all of its data; rather, clean erases the MBR, which 
is essentially the disk's "table of contents." The old data is still on the 
disk, but the OS doesn't know how to get to it anymore, so that data 
will end up being slowly overwritten as we build a new disk structure 
atop the old one and start putting files on that new disk structure. 

Next, the newly cleaned disk needs at least one new disk parti¬ 
tion. The simplest method is to make the drive into one big partition 
with the command create partition primary. If you want multiple 
partitions, you'd add the size- parameter, followed by the desired 
size in megabytes. If I wanted to create two partitions—one 10GB 
and another 14GB—I'd create the first one by typing 

create partition primary size=10240 

(Remember, there are 1024MB in a gigabyte, not 1000.) Then, I 
could create the second partition by just typing create partition pri¬ 
mary, as the create partition command without a size- parameter 
tells Diskpart to use all the remaining space on the hard disk. I can 
see the result of my work by typing list partition. 

Now, we've got our partitions, but they still need drive letters 
and formatting. I'll show you how to do that next month. ^ 
_ InstantDoc ID 103422 
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Otey 

"Microsoft E-Learning courses are web-based, 
self-paced training courses that you can take 
anywhere you have an Internet connection." 


Free Microsoft E-Learning Courses 

Find online training opportunities in Windows 7, Windows Server 2008, 
Exchange 2010, and other Microsoft technologies 


ne of the best ways to keep up with the onslaught of 
new Microsoft technologies is through the company's 
E-Leaming program. Microsoft offers dozen of online 
courses, many completely free and others available for 
a nominal cost. The Microsoft E-Leaming courses are 
web-based, self-paced training courses that you can take 
anywhere you have an Internet connection. After you sign up, a course is 
typically available to you for one year. During that time, you can take the 
course as often as you like. Let's take a look at ten free E-Leaming courses 
that can help you keep up with some important new technologies. For 
more information or to sign up for any of these courses, go to learning 
.microsoft.com/Manager/catalog.aspx and search the Learning Catalog 
for the Clinic number. 

C *X What's New in Windows 7 for IT Professionals—If you're 
) considering moving to Windows 7, you'll want to check out 
this course, which focuses on Windows 7 deployment and 
security enhancements. It also covers OS manageability and perfor¬ 
mance. The course should also help you manage and deploy Win¬ 
dows Vista and Windows XP systems. This course is Clinic 10077. 

O What's New in Windows 7 for Information Workers—This 
course is designed to help users make the most of Windows 7. 
You'll learn about Windows 7 productivity enhancements 
such as UI improvements and the updated User Account Control. 
The course also covers security, connecting to networks, and using 
devices. This course is Clinic 10088. 

O Microsoft Security Guidance Training I—Security is one of 
the most important IT issues, and the Microsoft Security 
Guidance Training I course covers introductory security 
principles and best practices. It also covers server hardening and 
domain controller security policies. In addition to this E-Learning 
course, Microsoft offers Security Guidance Training II, III, and IV, 
which are also free. You can find Security Guidance Training I as 
Clinic 2801. 

O Inside Look at Developing with Microsoft Windows 
SharePoint Services 3.0—Windows SharePoint Services 
(WSS) is one of the fastest growing Microsoft platforms. In 
this course, you'll learn about integratingASP.NET and SharePoint. 
In addition, you'll learn about SharePoint Designer, using web 
parts and workflow, and deploying SharePoint solutions. You can 
find this course as Clinic 5045. 


O Introducing Branch Office Management in Windows Server 
2008—This course is designed to help you get up to speed on 
the new branch office features in Windows Server 2008. The 
course covers improvements in branch office server deployment as 
well as using Read Only Domain Controllers (RODC) and Server 2008 
WAN utilization improvements. Find this course as Clinic 5937. 

O What's New in Microsoft SQL Server 2008 for Enterprise 
Data Platform—This E-Learning course covers security 
enhancements in SQL Server 2008 as well as the new database 
management and monitoring features. This course is Clinic 6188. 

O Introducing Terminal Services Presentation Virtualization 
in Windows Server 2008—This course covers the Termi¬ 
nal Services capabilities in Server 2008. It provides a Terminal 
Services overview as well as explaining RemoteApp, Termi¬ 
nal Services Gateway, Web Access, Session Broker, and single 
sign-on. These features are all in Server 2008 R2 as well, but they've 
been renamed Remote Desktop Services. This course is Clinic 5938. 

O Introducing Hyper-V in Windows Server 2008—Hyper-V 
virtualization is probably the most important new feature in 
Windows Server 2008. In this course, you'll learn about the 
features of Hyper-V as well as how Hyper-V can be used for server 
consolidation. This course also explains Hyper-V implementation 
and clustering. You'll find this course as Clinic 5935. 

O Introduction to Exchange Server 2010—Exchange 2010 will 
be one of Microsoft's biggest products for this year. This 
course covers the new features in Exchange 2010, including 
storage enhancements, Role Based Access Control (RBAC), and new 
management capabilities with Exchange Control Panel. You can 
learn more about the Exchange 2010 course at Clinic 6900. 

O What's New in Windows Server 2008 R2—This course 
delivers an overview of the new features in Server 2008 R2. It 
covers the enhancements in Hyper-V 2.0 as well as the Active 
Directory Administrative Center and the Recycle Bin. You'll also learn 
about IIS 7.5 and Remote Desktop Services. This is Clinic 10183. ^ 
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WHAT WOULD MICROSOFT SUPPORT DO? 


Morales 

"Sometimes it may be a complete mystery 
where an error came from, be it a message 
dialog box or a global log entry." 



Find the Source of an Error Message 

Two Windows Sysinternals tools help you identify what process generated an error 


E rror messages are a fact of life for PC users. Usually 
it's a straightforward process to troubleshoot where 
an error message came from, then continue to inves¬ 
tigate why this error occurred. But sometimes it may 
be a complete mystery where an error came from, 
be it a message dialog box or a global log entry such 
as an event log error. This scenario is more common for system 
administrators who experience errors on unattended servers and 
only realize the message hours or even days later. In this article, 
I'll demonstrate two Windows Sysinternals tools that can help you 
locate the source of such errors. Well walk through two examples, 
a message dialog box and an event log entry. 

Message Dialog Boxes 

For the first example scenario, locating the owner of an error mes¬ 
sage's dialog box, we can use Process Explorer. Process Explorer 
includes a tool that lets you find a Windows process. In the Process 
Explorer toolbar, this tool is represented by the crosshair icon. 



Figure 1 a:"F ind Windows process"tool used on a message dialog box 


To use this tool, left-click and hold the mouse down, drag the 
crosshair icon onto the dialog message (Figure 1a), and release the 
mouse button. Doing so will highlight the process that owns the error, 
as Figure 1b shows. Here we'll use a very simple example of an error 
opening a nonexistent file in Notepad. In this case, it's obvious where 
the error message came from and why. However, if this dialog box 
were to suddenly appear (from a system service, for example), the 
source would not be at all obvious based on the dialog box's text. 

Furthermore, in many cases you'll be able to use Process 
Explorer to examine the thread stacks of this process instance to 
locate the origin of the message box, as Figure 2 shows. There may 
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Figure 2: Viewing the call stack of the thread that displayed the 
message dialog box 
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Figure 1 b: "Find Windows process" showing the owner of the dialog box 
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■WHAT WOULD MICROSOFT SUPPORT DO? 


Binstr.bat 

@for /r %1 %%X in (*.exe *.dll) do @%~dp0\binstr_func.bat 
"%%X" %2 

@echo Scan finished... please see %~dp0binstr_output.txt 

Figure 3a: Binstr.bat enumerating all .exe and .dll files in a given directory 
and its subfolders 


Binstr_func.bat 
@echo °X1 

@echo %1 » %~dp0\binstr_output.txt 

@%~dp0\strings.exe -o -q %1 | find.exe /i %2 » %~dp0\binstr_ 
output.txt 

Figure 3b: Binstr_func.bat, a subroutine that calls strings.exe, filters its output, 
and logs results to file 


be other function names in the thread's call 
stack that will provide useful information. 

Event Log Error Message 

In this example, well be searching pro¬ 
gram files for an arbitrary string taken 
from an event log entry. We can do this in 
a very primitive way using the Sysinternals 
strings.exe tool; however, let's use a trick 
or two to optimize the search. After all, 
searching every single file on a system drive 
would be time-consuming and use a lot of 
unnecessary resources. 

To optimize the search, we'll perform 
a few tasks using the batch files shown in 


Figures 3a and 3b. Batch file syntax is out¬ 
side the scope of this article, so I will only 
briefly comment on each line and what it 
does. 

Binstrhat, in Figure 3a, is a cmd.exe batch 
file that takes two arguments; the first is a 
directory name, and the second is the string 
to look for. It uses a for loop to single out only 
.exe and .dll files in the given directory and its 
subfolders. It passes each of these filenames 
to a second batch file along with the string 
message we're looking for. 

Binstr_func.bat, in Figure 3b, can be 
thought of as a subroutine for the main 
batch file. This must be in a second file 
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due to limitations in the batch for com¬ 
mand syntax. This subroutine takes two 
arguments: a filename and a string we are 
looking for. It then does three things. First, 
it prints the filename to the console to 
indicate that the batch file is progressing. 
Second, it logs the filename to a text file, 
binstr_output.txt. Finally, it calls strings.exe 
using the two given parameters and filters 
the output using find.exe, outputting the 
results to the text file. 

Let's use an example to demonstrate 
usage and the output of the batch file. We'll 
take an event log entry, which Figure 4 
shows, for which we already have a good 
idea of the source, as it's 
indicated in the mes¬ 
sage itself. We can use 
this to verify that we did 
indeed find the correct 
message, usingbinstr.bat 
and binstr_output.txt, as 
Figures 5 and 6 show. 


Event 51 Oudoclt 


Dctaib 



'utlook detected a large number of consecutive deletes (W) from folder Inbox/TZ 


Figure 4: Example Application event log entry 


C:\tmp>binstr.bat "c:\Program Files\Microsoft Office\" "Outlook detected a large 
number" 

"c:\Program Files\Microsoft Office\Live Meeting 8\Addins\LMAddins.dll" 
"c:\Program Files\Microsoft Office\Live Meeting 8\Addins\DA\LMIntSat.dll" 

<snip> 

Scan finished... please see c:\tmp\binstr_output.txt 


Demystified Errors 

Error messages can some¬ 
times be vague, and their 
source can be a mystery. 
The two techniques dem¬ 
onstrated in this article 
are by no means the only 
ways to help track down 
the source of mysterious error messages. But 
they should give you some insight into a few 
techniques and tools that can help you make 
progress on root-cause analysis when you may 
otherwise feel like you're at a dead end. 

InstantDoc ID 103501 


Figure 5: Using binstr.bat 


<snip> 

"c:\Program Fi1es\Microsoft Office\0fficel4\1033\IPOLKINTL.DLL" 

"c:\Program Files\Microsoft Office\Officel4\1033\MAPIR.DLL" 

1099256:Outlook detected a large number of consecutive deletes (%1) from folder '%2'. 
"c:\Program Fi1es\Microsoft Office\0fficel4\1033\MAPISHELLR.DLL" 

"c:\Program Files\Microsoft Office\Officel4\1033\MOR6INT.DLL" 

<snip> 


Figure 6: binstr_output.txt 


Special thanks to Chris Carr, a Microsoft senior 
escalation engineer, who significantly contributed 
to this article. 


MICHAEL MORALES (morales@microsoft.com) 
is a senior escalation engineer for Microsoft's Global 
Escalation Services team. Fie specializes in advanced 
Windows debugging and performance-related 
issues. For information about Windows debugging, 
visitblogs.msdn.com/ntdebugging. 
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■ SOLUTIONS FROM YOUR PEERS 


■ Troubleshoot CPU 
Spikes 


■ Get, Set, and Clear 
Computer Descriptions 


READER TO READER 


Troubleshooting CPU 
Spikes in the System 
Process 

Our three development 
domain controllers (DCs) 
were suffering from CPU 
spikes. As a result, users were 
experiencing slow logons and all 
sorts of lags when querying Active 
Directory (AD). I ended up trying several 
techniques and using several tools to find the 
reason for the CPU spikes on our DCs. 

I began by checking each DC's CPU 
usage in Process Explorer. This free tool 
(technet.microsoft.com/en-us/sysinternals/ 
bb896653.aspx) shows you information 
about the objects (e.g., DLLs, handles, reg¬ 
istry keys) a process has opened or loaded. 
Before using Process Explorer, though, you 
should configure it to download symbols 
so that binary data is converted into read¬ 
able information. To do so, you just need to 
select Configure Symbols on the Options 
menu. Process Explorer uses the Debugging 
Tools for Windows (www.microsoft.com/ 
whdc/devtools/debugging/default.mspx) 
to make the conversions, so you need that 
toolset installed to use this option. 

As Figure 1 shows, I found that the 
System process was typically consuming 
around 50 percent of CPU time. The System 
process isn't bound to an executable image 
like other processes. Its existence serves 
OS threads for Windows subsystems and 
device drivers. CPU spikes in the System 
process could mean a misbehaving device 
driver.To get more information toward that 
end, I decided to look at CPU usage at the 
thread and stack level. 

I double-clicked the System process 
to bring up its Properties dialog box, then 
selected the Threads tab. As Figure 2, 
page 17, shows, I found several threads, each 
of which was consuming about 5 percent of 
CPU time.These threads were logically as¬ 
sociated with Srv.sys, which is the file server 
device driver that responds to network I/O 
requests for file data on disk partitions shared 
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on a network. Because I previously 
configured symbols for OS images 
in Process Explorer, the thread list 
also showed the function name, 
which was WorkerThread. In 
other words, they were system 
worker threads. 

Because any device 
driver can submit work 
to a system worker 
thread, I still didn't know 
the source of the request. So, I highlighted 
one of the threads and pressed the Module 
button to see more information about 
the file (aka module) behind that thread. 
Sometimes the Version tab in the dialog box 
that appears includes a description of the 
component that submitted the work, but 
unfortunately that wasn't the case this time. 

Another way to determine the com¬ 
ponent that submitted work to a system 
worker thread is to use the Kernel Profiling 
Tool (kernrate.exe).This command-line 
tool lets you track CPU utilization by 
kernel-mode and user-mode processes. 
Although the Kernel Profiling Tool has been 
deprecated, you can still download it at 


www.microsoft.com/whdc/system/sysperf/ 
krview.mspx. You can also find it in the 
Microsoft Windows Server2003 Resource Kit. 

When I ran the Kernel Profiling 
Tool, a module named mfehidk caught 
my attention. To find the device driver 
associated with this module, I used the 
free Strings utility (technet.microsoft.com/ 
en-us/sysinternals/bb897439.aspx). By 
running the command 

strings *.sys | findstr mfehidk 

from the C:\Windows\System32\drivers 
directory I was able to determine that the 
module was associated with the McAfee 
device driver installed in my system. (You 
can also use other search techniques, 
which are discussed in the Microsoft 
article "How to find pool tags that are used 
by third-party drivers"at support.microsoft 
.com/kb/298102/en-us.) 

I unregistered the module using the 
Regsvr32 command, then monitored the 
DCs for improvements in CPU usage. I was 
dismayed to see that the spikes didn't go 
away. 
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Figure 1: Using Process Explorer to determine CPU usage at the process level 
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SOLUTIONS FROM YOUR PEERS ■ 



Figure 2: Using Process Explorer to determine CPU usage at the 
thread level 


In despair, I turned to Process Monitor. 
This free tool (technet.microsoft.com/en- 
us/sysinternals/bb896645.aspx) lets you 
monitor file system, registry, and process 
activities in real time. To output the activ¬ 
ity of the System process only, I selected 
the Enable Advanced Output option on 
the Filter menu and selected Include 'Sys¬ 
tem'. Figure 3 shows sample results. 

The DCs were serving logon scripts at 
the time of the data capture, so several 
OPLOCK NOT GRANTED entries provided 
an important clue. After some investiga¬ 
tion, I found that a badly designed logon 
script was the culprit. The logon script had a 
reference to a missing network share. After 
I corrected the script, the System process's 
CPU usage dropped to about 5 percent on 
the DCs. 


My experiences 
will hopefully give 
you an idea of some 
of the tools and 
techniques you can 
use to troubleshoot 
performance prob¬ 
lems in the System 
process. You can 
find more details on 
the troubleshoot¬ 
ing steps I took 
in my blog entry 
"Troubleshooting 
the System Process 
(CPU Spikes)"at 
rfvicente.spaces 
.live.com/blog/ 
cns!5228FAA8B79 
B6EB1!590.entry. 

—Ricardo Vicente, 
systems administrator, 
GFI Portugal 
InstantDoc ID 103376 

Get, Set, and Clear Computer 
Descriptions With Ease 

Setting the computer descrip¬ 
tions that people see when 
they're browsing the network 
is one of those odd tasks 
that isn't easy to cen¬ 
trally manage but can be 
important in some network 
environments. Although you 
can use the Microsoft Manage¬ 
ment Console (MMC) to perform 
this task, it's laborious when you have to 
do so on a remote computer. So, I wrote 
a script, NetComment.vbs, that lets you 
quickly check, set, or remove the descrip¬ 
tion for a remote or local computer. You 
can even use it to check or clear descrip¬ 
tions for multiple computers. (I use the 


term computer description because that's 
the value displayed in the Comments field 
if you browse computers on the network 
from a Windows Server 2003, Windows XP, 
or Windows 2000 machine.) 

Before I describe how to use Net¬ 
Comment.vbs, I want to point out that 
there's one traditional way to quickly 
modify a description: Use the Net Config 
Server command with the /srvcomment 
parameter. However, this command im¬ 
mediately writes the current LAN Manager 
Service data to the registry, so the service 
will no longer be auto-tuning. The only 
way you can restore auto-tuning is to 
manually delete all the tuning parameters 
under the registry key HKLM\SYSTEM\ 
CurrentControlSet\Services\lanmanserver\ 
parameters. If you've used the Net Config 
Server command to set a system's descrip¬ 
tion and need to restore the LAN Manager 
Service's auto-tuning behavior, see the 
Microsoft article "Server Service Configura¬ 
tion and Tuning" (support.microsoft.com/ 
kb/128167). 

You can download NetComment.vbs 
by going to www.windowsitpro.com, 
ntering 103377 in the Instant- 
Doc ID box, clicking Go, then 
^ clicking the 103377.zip link 
near the top of the page. 
First, I'll show you how to 
use this script to get, set, 
and clear computer descrip¬ 
tions on a single 
computer. Then, 

I'll show you how 
HHfiiiliiiilliiH to use it for batch 
operations. I'll 

also tell you about a few details you need 
to be aware of. 

Getting a computer description. You 

can check the description for a remote 
computer by using its IP address or name. 
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Figure 3: Using Process Monitor to monitor the System process in real time 
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■ SOLUTIONS FROM YOUR PEERS 


For example, the following commands will 
return a remote computer's description if a 
description has been set: 

NetComment 192.168.1.23 
NetComment PrintServer02 

The information is returned in the format 
computer name = computer description. 

If a description hasn't been set for the 
computer, you'll receive the message net 
error 1. This is normal because you're try¬ 
ing to access a registry value that doesn't 
exist. You'll also receive an error message 
when a remote computer is unavailable. 

You can check the description for 
the local computer by using its name, its 
IP address, a period, or nothing at all. So, 
for example, all of the following com¬ 
mands will return the local computer's 
description: 

NetComment Angel 1 
NetComment 127.0.0.1 
NetComment. 

NetComment 

Because you can run the script without 
any arguments, you can use it as a quick 
point-and-click tool for checking local 
computer descriptions. (NetComment.vbs 
works properly in both the WScript and 
CScript environments.) 

Setting or clearing a computer 
description. To set a description for a 
remote computer, you just need to add 
the description as the second argument, 
with double quotes surrounding it if the 
description includes spaces. For example, 
if you want to set PrintServer02's descrip¬ 
tion as Engineering Printers, you'd use the 
command 

NetComment PrintServer02 

"Engineering Printers" 

(Although this command wraps here, 
you'd enter it all on one line at the com¬ 
mand prompt. The same holds true for the 
other commands that wrap.) To set the 
description for the local computer, you 
must supply both the computer name and 
a description, as in 

NetComment 127.0.0.1 

"Test PC" 


If you fail to provide a computer name 
when setting a description, the script 
won't work correctly. 

You use the same technique to remove 
a remote or local computer's description. 
To remove the description, specify the 
computer's name and give it an empty 
description by using a pair of empty 
double quotes, as in 

NetComment PrintServer "" 

NetComment 127.0.0.1 "" 

As these examples show, you must supply 
both the computer name and the pair of 
empty double quotes to clear a description, 
no matter whether the computer is remote 
or local. 

Using NetComment.vbs for batch 
operations. Although written for use 
against one computer at a time, it's pos¬ 
sible to use NetComment.vbs with a batch 
file wrapper to handle multiple computers 
in one batch operation. I wrote two wrap¬ 
per scripts: BatchNetComment.cmd, which 
checks the descriptions for multiple com¬ 
puters, and BatchClearNetComment.cmd, 
which clears the descriptions for multiple 
computers. (I didn't write a wrapper 
script to set descriptions for multiple 
computers.) 

To use the wrapper scripts, 
save BatchNetComment.cmd and 
BatchClearNetComment.cmd in the 
same folder as NetComment.vbs. (You 
can find these wrapper scripts in the 
103377.zip file.) Then, assuming you have 
a list of computer names saved to the 
file c:\tmp\nodes.txt (one name per line), 
use one of the following commands. If you 
want to check the description for each 
computer named in the text file, run the 
command 

BatchNetComment c:\tmp\nodes.txt 

If you want to clear the description for 
each computer named in the text file, run 
the command 

BatchClearNetComment c:\tmp\nodes.txt 

A few details to be aware of. There are 
a few things you should be aware of when 
using NetComment.vbs and the wrapper 
scripts: 


• You need administrator permissions to 
successfully change a description. 

• Changes to the description might 
not take effect until after the 
modified system reboots and has 
its description propagated over the 
network. 

• NetComment.vbs uses the Windows 
Management Instrumentation (WMI) 
Registry Provider to avoid some of the 
problems that can occur when trying to 
use other WMI classes for the same job 
(notably, an occasional issue with using 
WMI's Put_ on Windows Vista). This 
also means you need remote access to 
WMI on the system you're checking or 
modifying. 

• NetComment.vbs will work on 
Windows 2000 and later. It will also 
work on earlier versions if WMI is 
installed. 

• BatchNetComment.cmd and Batch¬ 
ClearNetComment.cmd will work on 
Windows 2000 and later. They use the 
usebackq option, so they won't work on 
earlier versions. 

• When setting computer descriptions, 
NetComment.vbs will silently trim them 
to no more than 48 characters because 
long descriptions can cause problems. 
Windows servers will normally suppress 
long descriptions, but non-Windows 
browse masters will pass them on, 
sometimes causing Windows network 
services to crash. (For more information 
about this problem, see "The Service 
Host Process May Stop Unexpectedly in 
Windows Server 2003" at support 
.microsoft.com/kb/932762.) Note that 

if a longer description has already been 
set, NetComment.vbs will display it 
as is. 

With NetComment.vbs, you can quickly 
get, set, or clear a computer's description, 
no matter whether it's a remote or local 
machine. With BatchNetComment.cmd 
and BatchClearNetComment.cmd, you can 
quickly retrieve or remove descriptions 
for multiple computers. Although these 
three scripts might not be ideal for every 
description-change scenario as is, you can 
modify the core code to meet your specific 
needs. ^ 

—Alex K. Angelopoulos, IT consultant 
InstantDoc ID 103377 
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ANSWERS TO YOUR QUESTIONS 



Q: How can I exclude words from 
the Outlook 2007 spell check 
dictionary? 

Al An Outlook SNAFU that few people 
consider before it happens to them is 
the problem of correctly spelled words 
appearing in the wrong context. You 
might not want certain words of a sensi¬ 
tive nature to appear in your business 
correspondence, email messages, or 
Word documents. To prevent a poten¬ 
tially embarrassing situation, you can 
configure Outlook to highlight such 
terms when you or users in your orga¬ 
nization compose messages. In some 
cases, these words will automatically 
be underlined by the grammar check¬ 
ing feature, but some inappropriate 
misspellings might not be underlined at 
all. For example, the following sentence 
passes the spell checker, but the gram¬ 
mar checker identifies the problem: 

"The penis mightier than the sword." 

In other cases, neither spell check nor 
grammar check recognize an issue. For 
example, I frequently make the follow¬ 
ing typo: "Can I get permission to the 
pubic folders?" 


In business email correspondence, 
depending on the nature of the business 
of course, it's probably rare to use the 
terms "penis" or "pubic." Outlook 2007 
uses Word 2007 for both rendering and 
composing email messages. Although 
not everyone has been happy with this 
change, it lets you use certain features 
from Word when you compose an 
email message. One of these features is 
granular control of the dictionaries used 
for spell checking. Word has a custom 
dictionary to which you can add words 
that you don't want to show up as mis¬ 
spelled, including names. But you can 
also exclude words that Word considers 
spelled correctly so they show up as 
misspelled in your document. For Office 
2007, Microsoft creates a separate exclu¬ 
sion file for each language installed. The 
exclusion file is in the format 

ExcludeDictionary<Language_ 
CodexLocal e_ID>. 1 ex 

The Language Code is a two-letter code for 
the installed languages in Office 2007, such 
as EN for English, DE for German, and FR 
for French.The Locale ID is a hexadecimal 
code specifying the localized form of the 
language code, such as 0809 for United 
Kingdom.There's a list of Locale IDs on 
MSDN, although this isn't the official, 
complete list for Office. 

On my Windows 7 system with Office 
2007,1 have English-United States and 
English-United Kingdom installed.The 
exclusion files are named ExcludeDiction- 
aryEN0409.lex and ExcludeDictionary- 
EN0809.lex. In Windows 7, you can find the 
exclusion file(s) at C:\Users\<user_name>\ 
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Q: I need to perform an AD 
database restore. Can I just stop 
the Active Directory service 
(NTDS) on my Windows Server 
2008 or later domain controller 
(DC), perform the restore, then 
start the service again? 

A: No. Server 2008 has an Active 
Directory (AD) service that you can 
restore, it's only usable for certain 
scenarios. If you need to restore an AD 
database, you need to boot the DC 
into Directory Services Restore Mode 
(DSRM), restore the backup, mark the 
objects you want to keep as authorita¬ 
tive, and boot back into normal mode. 

The AD service's ability to restart 
can be used is if you have a DC that 
still has an object that has been 
changed or deleted (perhaps you have 
a lag configured for the DC's site). 

You could stop NTDS, mark objects as 
authoritative, then restart NTDS. No 
reboot is required. 

—John Savill 

InstantDoc ID 103221 


AppData\Roaming\Microsoft\UProof. 

In Windows Server 2008 and Windows 
Vista, the exclusion files are found at 
C:\Users\<user_name>\AppData\ 
Microsoft\UProof. In Windows Server 
2003 and Windows XP, the exclusion 
files are found at C:\Documents and 
Settings\<user_name>\Application Data\ 
Microsoft\U Proof. 

The exclusion files are text files that 
can be edited in any text editor, includ¬ 
ing Notepad. Simply add words that you 
want to show as misspelled and press 
enter after each term. Outlook must be 
restarted to capture any new additions 
to this file. Of course, this text file could 
be pushed out to clients through Group 
Policy, a logon script, or another enterprise 
application distribution mechanism. If you 
distribute a common set of exclusions in 
this manner, it will overwrite any custom 
exclusions your users might have added. 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro 


MARCH 2010 19 










■ ASK THE EXPERTS 


d *0 


Exclusion terms - Message (HTML) 




ca/ 

Message 

Insert 

Options Form at Text 

-cote PDF 





u 

flP\ 

lH 

Eli 

Parte ' 

j. „ -In • 

lA-VI 

iUJ 

10 & 

r 

Mi- 

9 

Spelling 


_ I 

Send 

'@p‘ j 

Account 

1 B i a ||:- * S- -j 

1 55 65| 


! 

I 


£ a. i m w 

F5T 

Names 


Follow 

Up- 

* 


Sena 

Cl ip bo aid ^ 1 

Basic Text 


In flu ole fij 

Options 

n-, 

Proofing 












Thus message has not been sent. 








Send 




Subject: Exclusion terms 


The perils mightier than the sword. 

Can I get permission to the pubic folders? 


W ^ ° 




Added adusion - Message (HTML) 


l-Q B 


Message Insert Options Format Text 



Califcm (Bodyi - 11 


m 

I M- 



,a*c: 

I I*.pF- 

B I u := - |= - 



JP ]1 

\ 

! 

■w 

Spelling 

Scnd Account 

Pa “' J ffi- A I® ® - 

\m 

Mann as 

ijSr 

Follow 

up’ 

4 

Send 

Clipboard j Basic Text 

r B 


Include j* 

Options l 

Proofing 


Send 


I T °- 1 b 

c^r 


Bee.. 


Suuj ect: Ad be d exdus io n 


The mightier than the sword. 

May I get pe rm iss lo n to th e gubic f olde rs? 


Si 


Figure 1: Sample use of the word exclusion feature in Outlook. 


Figure 1 shows two new email mes¬ 
sages. The first was composed prior to 
adding the terms "penis" and "pubic" to 
the exclusion file.The second message 
was composed after adding those terms 
and restarting Outlook. Notice the red 
line under both terms, suggesting that 
they are misspelled. The red line warning 
might assist some people in ensuring the 
proper intent and accuracy of their email 
messages. 

—William Lefkovics 

InstantDoc ID 103017 

Q: I'm looking for an easy 
mechanism to maintain the local 
administrator passwords that 
we need for accessing Directory 
Services Restore Mode (DSRM) 
on our domain controllers (DCs). 
Often, no one remembers or can 
retrieve the DSRM password that 
was set during a DC promotion 
years ago. I know I can reset the 
DSRM passwords using the ntd- 
sutil command line tool, but is 
there any way that I can set and 
maintain a single DSRM adminis¬ 
trator password that applies to all 


my DCs? Does Microsoft provide 
some Active Directory (AD)-based 
synchronization mechanism for 
DSRM passwords on DCs? 

Aj Microsoft released a feature for 
Windows Server 2008 that allows you to 
synchronize the DSRM password on a 
DC with the password of a domain user 
account. This feature is part of hotfix 
KB961320 for Windows Server 2008 and is 
included in Windows Server 2008 SP2 and 
Windows Server 2008 R2. You can't use 
this feature on Windows 2000 or Windows 
Server 2003 DCs. 

After the hotfix has been installed and 
you've rebooted your DC, you can use the 
following ntdsutil command to synchronize 
the DSRM password with the password of a 
domain user account. 

ntdsutil "set dsrm password" "sync 
from domain account <domain_account_ 
name>" q q 

Replace <domain_account_name> with 
the name of the domain user account 
that you want the DSRM password to be 
synchronized with. 


The feature provides a one-time syn¬ 
chronization—you must synchronize every 
time the password is changed. To ensure 
that the DSRM passwords are automatically 
synchronized on a regular basis, you can 
create a scheduled task for the above ntd¬ 
sutil command and force it to run on your 
DCs using Group Policy Preferences (GPPs). 
How to set this up in GPPs is explained 
in great detail in a TechNet blog article at 
ti ny u r I .co m/yz4cxz5. 

This new feature doesn't take away the 
need to secure DSRM accounts and their 
passwords properly. When you use this fea¬ 
ture, you're using the same DSRM password 
for all your DCs, so it becomes even more 
important to worry about the strength of 
this password. You must also consider the 
frequency of the DSRM password change 
and the quality of the process used to 
change the DSRM password. 

—Jan De Clercq 

InstantDoc ID 103172 

Q: How do I disable AutoArchive in 
Microsoft Outlook? 

A: A default installation of Microsoft 
Outlook will eventually launch a pop-up 
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prompt that asks the user if he or she 
would like to AutoArchive content. 
AutoArchive runs every 14 days by 
default. This feature sounds reasonable 
but what it does is create a new .pst file 
called archive.pst, by default, and saves 
older content based on user configuration 
options. The creation of .pst files on client 
workstations can decentralize messaging 
data. This poses challenges for administra¬ 
tors, such as recoverability in the event of 
disaster or e-discovery in the face of litiga¬ 
tion. There may even be some companies 
that have specific policies against the 
creation of .pst files. Thankfully, Outlook 
provides an option to prevent the cre¬ 
ation of .pst files. 

You can cut down on the proliferation 
of unnecessary AutoArchive file con¬ 
tent by using DisablePST. DisablePST 
is a registry value used to prevent the 
creation of PST files by Outlook users. (For 
background on working with .pst files see 
my article, "Managing PST Files in Out¬ 
look," InstantDoc ID 99336.) DisablePST 
can be deployed through Group Policy, 
the Office Customization Tool (in Office 
2007) or even a .reg file in a logon script. 
Outlook reads configuration settings from 
the registry at start up, so any registry 
changes that impact the local installation 
of Outlook require a restart of Outlook to 
incorporate those changes. DisablePST 
also removes the configuration option for 
AutoArchive in the Tools, Options menu in 
Outlook. 

A small problem arises when the user 
has already configured AutoArchive 
before the administrator has deployed 
a DisablePST policy. AutoArchive will 
continue to run and feed archive.pst (or 
whatever file name the user chose), but 
the user will no longer be empowered to 
make any changes to AutoArchive, such 
as turn it off. 

If the DisablePST entry is applied to 
an existing Outlook installation where 
the user has already configured Auto- 
Archiving, then you need to turn off the 
registry entry, restart Outlook, and then 
turn off AutoArchive. Afterwards, reapply 
the DisablePST registry value, and then 
restart Outlook. Alternatively, a Group 
Policy applying the DisablePST registry 
value should also disable AutoArchive at 
the same time. 


In Group Policy, load the Office Out¬ 
look 2007 template (Outlkl 2.adm) and 
under User ConfigurationXAdministrative 
TemplatesWIicrosoft Office Outlook 2007\ 
Tools, Options, Other, AutoArchive select 
Disable File, Archive. Yes, you enable the 
disabling of the feature. 

—William Lefkovics 

InstantDoc ID 103148 

Q: How do I enable jumbo frames? 

A: Windows Vista and Windows Server 
2008 introduced jumbo frames support, 
which enables a much larger Maximum 
Transmission Unit (MTU) size for data being 
sent over a network. The larger MTU means 
more data can be sent before requiring 
an acknowledgement. Because you send 
fewer packets for the same data payload, 
you use less network and computational 
overhead. 

A normal Ethernet frame can be up to 
1,518 bytes.This figure includes all theTCP 
and IP overhead, so the actual amount of 
data that can be carried is much lower— 
normally around 500 bytes. This frame size 
has been around since 10Mbps networks 
and was designed to minimize the amount 
of data that had to be resent in the event 
of network errors, which were very com¬ 
mon in the early days (1980s). 

Networks today are far more reliable 
and higher performing. Jumbo Frames 
allow frame sizes up to 9KB, which means 
each frame can contain 8KB of data 
(which just happens to match the NFS 
datagram size, so with Jumbo frames an 
entire NFS block can be sent in a single 
frame). 

Most gigabit network equipment sup¬ 
ports frame sizes of up to 9KB, but larger 
frame sizes are possible. IPv4 uses a 32-bit 
value for error checking, so the maximum 
possible frame size using IPv4 is 12KB. IPv6 
uses a 64-bit value, so it could allow much 
larger frame sizes. 

Vista and Server 2008 support jumbo 
frames by default, but most network 
adapters have jumbo frames disabled. To 
take advantage of jumbo frames, you need 
to enable it on your network adapter. The 
process of enabling it varies based on you 
network adapter and driver. 

1. Open the Network and Sharing 
Center. 


2. Click Change adapter settings. 

3. Right-click the NIC for which you 
want to enable jumbo frames and 
select Properties. 

4. Under the Networking tab, click the 
Configure button for the network 
adapter. 

5. Select the Advanced tab. 

6. Select Jumbo Frame and change the 
value from disabled to the desired 
value, such as 9KB MTU or 9,014 
Bytes, depending on the NIC. 

7. Click OK to all dialogs. 

Note that when you make the change, the 
NIC will lose network connectivity for a few 
seconds. You should also reboot to ensure 
the change has taken effect. 

Be aware that most SOHO switches 
don't support jumbo frames. Also, even 
enterprise switches disable jumbo frames 
by default and will need to have the 
feature enabled. I had to disable jumbo 
frames on my computer because the local 
switch didn't support jumbo frames and 
was breaking my communication to the 
rest of the network—both computers 
negotiated to use larger frame sizes, but 
the equipment in the middle couldn't 
transport it. All of the servers in my main 
lab connect to my NetGear GS724T, which 
supports jumbo frames, and so have 
jumbo frames enabled on their NICs. 

—John Savill 
InstantDoc ID 103373 

Q: How many Live Migrations can I 
perform concurrently? 

A: Only one Live Migration can run con- 
currently between the two nodes that are 
participating. Other nodes in the cluster 
can also be involved in Live Migrations, but 
again, one Live Migration per pair of hosts. 

If you want to queue up multiple Live 
Migrations, you should use a virtualiza¬ 
tion management solution such as System 
Center Virtual Machine Manager. You could 
also use a script, available at tinyurl.com/ 
yf5wq99, to perform the live migrations in 
sequence.The Microsoft PowerShell team 
put this script together. The script queues 
live migrations from a node and moves 
them to other nodes in the cluster. 

—John Savill 
InstantDoc ID 103251 
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Figure 2:The Indexing Options dialog boxes. 

Q: I'm trying to give a user 
Full Control using the basic 
file sharing dialog, but the 
co-owner option isn't available 
in Windows Server 2008 R2. What 
can I do? 

A: Server 2008 R2 updated the basic 
sharing dialog. It no longer has the Co- 
Owner and Contributor options. Read/ 
Write is the equivalent of Contributor, but 
Co-Owner is no longer represented. If you 
want to give a user Full Control, you need 
to use the Advanced Sharing option, 
which allows assignment of Full Control 
permissions. 

As a side note, in my testing with 
Server 2008 R2 permissions, I found that 
changes you make with the basic sharing 
dialog don't seem to actually take effect, 
making the dialog fairly worthless in 
the release to manufacturing version of 
the OS. 

—John Savill 

InstantDoc ID 103266 


Q: How can I configure which 
locations are indexed in Windows 7 
and Windows Server 2008 R2? 

A! The easiest way to access the index- 
ing options for Windows 7 and Server 
2008 R2 is to type indexing in the search 
field on the Start bar.This will bring up the 
Indexing Options Control Panel applet. 

You can also access the applet directly 
from Control Panel. 

In the applet, you can modify the 
locations that are indexed and via the 
Advanced button. You can set which types 
of files are indexed and where the index¬ 
ing information is stored, as shown in 
Figure 2. By default, the search database 
is located at C:\ProgramData\Microsoft\ 
Search\Data\Applications\Windows and 
the main content is in the file Windows, 
edb. Depending on the amount of data 
being indexed, the file may be large (mine 
was 300MB to index around 40GB of data). 

—John Savill 
InstantDoc ID 103122 


Q: Can I read BitLocker 
protected removable 
media in Windows XP 
and Windows Vista? 

A J Microsoft has released Bit- 
Locker To Go Reader (BTGR) for 
Windows Vista and Windows 
XP. Once you've installed BTGR, 
you can use it to read from 
BitLocker protected media. 

You don't have to worry 
about downloading or installing 
BTGR. When a drive is protected 
with BitLocker, an additional 
"discovery volume"that contains 
BTGR is created on the device. 
When the media is inserted in an 
XP or Vista system that doesn't 
have BTGR installed, the device 
will appear to contain nothing 
but the BTGR installation files. 
You can use these to install BTGR 
from the device, and then access 
the device's real content. 

Note that you have to use 
the BTGR interface to view the 
content—you can't view it from 
Explorer or any other part of the 
Windows OS. If you try to view 
a BitLocker protected drive in 
Explorer, you'll only see a link to BTGR. 

— John Savill 
InstantDoc ID 103345 

Q: Can I set processor affinity with 
Hyper-V? 

A: In virtualization, processor affinity 
(also known as hard affinity) allows you 
to link a virtual processor with a physical 
core in the host. This is required in many 
virtualization solutions to make sure virtual 
machines (VMs) always gets a full CPU’s 
worth of processing. 

Hyper-V can reserve a percentage of 
a CPU’s processing power for a VM, but 
doesn't require you to reserve a specific 
core for a VM. You can set that reserve to 
100 percent, and setting a 100 percent 
reservation for a VM has more or less the 
same effect as setting a processor affinity, 
but Hyper-V doesn't need processor affinity 
nor support it. v 

—John Savill 
InstantDoc ID 103385 
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See what the 
new version 
brings to the 
table for IT pros 
and end users 

by Dan Holme 


W ithin a few weeks, SharePoint 2010 should be released to manufacturing 
the SharePoint 2010 revolution will begin. It's not just the business and 
tomers—internal and external—that will benefit from enhancements to 
2010. With more enterprises storing more mission-critical data in 
soft was compelled to bring to the table significant 
tion, management, security, scalability, deployment, and governance of SharePoint 
implementations. What Microsoft has created in the three years since the release of SharePoint 2007 is 
impressive. In this article, I'll explore the changes to SharePoint that impact you, the IT pro. 

Of course, work at Microsoft is ongoing between the time of this writing and RTM, and I'll be covering 
all the latest developments at www.sharepointproconnections.com. Be sure to check there for the latest 
changes. 


64-Bit Only 

SharePoint 2010 raises the stakes—significantly—for your infrastructure. Gone are the days of 32-bit 
servers and of virtual machines (VMs) hosted on 4GB laptops for developers. SharePoint 2010 requires 
64-bit hardware for each server in the farm, including your database server, and therefore requires 64-bit 
versions of Windows and Microsoft SQL Server. Windows Server 2008 is the minimum OS version for 
production servers; Windows Server 2008 R2 is highly recommended. You need SQL Server 2008 R2, 
SQL Server 2008, or SQL Server 2005 to support SharePoint 2010. And with each of these products, you 
must have the latest service packs and updates. The specifics are changing regularly in the run up to 
RTM, and will continue to change as products such as SQL Server 2008 R2 are released, so you should 
consult TechNet (technet.microsoft.com/en-us/library/cc262485(office. 14).aspx) for the latest informa¬ 
tion about SharePoint 2010 hardware and software requirements. 

SharePoint 2010 can be installed with slightly lower memory requirements—4GB of RAM—for devel¬ 
opment and evaluation. Developers also can install SharePoint 2010 on 64-bit Windows 7 or Windows 
Vista clients—a welcome change from the previous requirement to develop on a server platform. 

The 64-bit requirement for SharePoint 2010 isn't premature, given the fact that it's been difficult to buy a 
32-bit-only server for many years now. And the performance benefit of 64-bit code is significant. However, 
many organizations, particularly small businesses and enterprises in developing nations, are struggling to 
provision hardware that meets SharePoint 2010's standards. The 64-bit requirement is likely to be the top 
reason cited for delays in migrating from previous versions of SharePoint to SharePoint 2010. 


SharePoint Foundation and SharePoint Server 

Microsoft continues to offer a free version of SharePoint, SharePoint Foundation 2010, which replaces 
Windows SharePoint Services (WSS) 3.0. Like its predecessor, SharePoint Foundation 2010 supports 
many collaboration scenarios through features such as lists, libraries, and team sites. SharePoint Foun¬ 
dation continues to provide core functionality, including administration, management, authentication, 
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and Office client integration. SharePoint 
Foundation 2010 incorporates some of the 
platform functionality formerly provided by 
Microsoft Office SharePoint Server (MOSS) 
2007, most importantly service applications, 
which m discuss later. 

I've spent a lot of time explaining to 
clients that they don't need MOSS on every 
farm—WSS supports collaboration scenarios 
quite effectively and therefore lets you place 
multiple, decentralized WSS collaboration 
farms in remote sites and maintain a cen¬ 
tralized MOSS farm for intranet, search, My 
Sites, and other MOSS services. Many people 
have swallowed Microsoft's marketing mes¬ 
sage whole and believe they need MOSS for 
every scenario. That just isn't the case. 


The same situation holds true with 
SharePoint 2010. I expect Microsoft will 
push SharePoint Server hard, but it's not 
the only answer. SharePoint Foundation 
could be the answer for many collaboration 
requirements. Be sure you need SharePoint 
Server before you pay for it. 

However, SharePoint Server brings a lot 
more chips to the table, such as enterprise 
search and social networking features. The 
Enterprise license adds full-strength busi¬ 
ness intelligence, including Excel Services 
and connectivity to back-end data sources. 
In addition, InfoPath forms, Visio Services, 
FAST Search, Access Web Services, and 
the Office Web Applications are compel¬ 
ling capabilities of the Enterprise version. I 


believe that Access Web Services and Office 
Web Applications are the killer aps for the 
Enterprise edition that will be major drivers 
toward full-blown SharePoint Server 2010 
farms in the next few years. 

Of course, SharePoint 2010 will be 
offered as a hosted service as well, con¬ 
tinuing Microsoft's drive for Software Plus 
Services. You can read about that option in 
the sidebar, “What SharePoint 2010 Offers 
Online." 

Upgrade Options 

After you ensure that your infrastructure 
meets the SharePoint 2010 prerequisites 
and decide on your mix of SharePoint 
Server and SharePoint Foundation, on¬ 
premises and hosted services, you're ready 
to start thinking about upgrading your 
current SharePoint implementation. When 
you upgrade to SharePoint 2010, you might 
also need to upgrade to 64-bit hardware, 
and potentially upgrade your Windows and 
SQL Server versions as well. It's important 
that you do each prerequisite upgrade 
before upgrading SharePoint itself. You can 
combine upgrades of the prerequisites—for 
example, upgrading from 32-bit Windows 
Server 2003 to 64-bit Server 2008 R2. Make 
the upgrade from a previous SharePoint 
version to SharePoint 2010 the last step. 

You have two upgrade paths to Share- 
Point 2010. The first, an in-place upgrade, 
involves installing SharePoint 2010 (Foun¬ 
dation or Server) on an existing SharePoint 
2007 farm. An in-place upgrade requires 
downtime for the farm, but it preserves 
farm settings and customizations. Alterna¬ 
tively, you can perform a database attach 
upgrade, in which you attach an existing 
SharePoint 2007 content database (either 
MOSS or WSS) to a SharePoint 2010 farm, 
and upgrade the content database in the 
process. This method can be faster than an 
in-place upgrade because SharePoint can 
upgrade multiple content databases con¬ 
currently, but it requires a separate Share- 
Point 2010 farm and therefore requires 
you to manually configure farm settings 
and customizations. There are also hybrid 
upgrade paths that combine these two 
approaches. You can find more about 
upgrade options in the TechNet article 
“Upgrading to SharePoint Server 2010" 
(technet.microsoft.com/en-us/library/ 
cc303420(office. 14). aspx). 


What SharePoint 2010 
Offers Online 

SharePoint 2010 continues Microsoft's strides toward its Software Plus Services (S+S) strategy. 
Microsoft has three flavors of hosted SharePoint, the most common of which is multi-tenant, 
or co-hosted, offered through Microsoft Business Productivity Online Standard Suite (BPOS). In 
its current iteration, this service offers functionality basically equivalent to Windows SharePoint 
Services (WSS) 3.0 plus publishing. SharePoint 2010 has been designed to support richer multi¬ 
tenant functionality, including service applications such as Search, Managed Metadata, and My 
Sites. It's safe to expect that multi-tenant hosted SharePoint Online will extend such capabili¬ 
ties to its subscribers after the service is updated to SharePoint 2010.1 expect that SharePoint 
Online will come admirably close to feature parity with internally hosted SharePoint farms. 

The second of the three hosted flavors of SharePoint is SharePoint for Internet sites. 
Microsoft has revealed new multi-tenant options for hosted SharePoint 2010-based Internet 
sites. It's not possible to host public-facing, anonymous-access websites on the current multi¬ 
tenant version of SharePoint Online. These new Internet offerings will let businesses publish 
their public-facing websites on SharePoint in a robust and secure infrastructure hosted and 
managed by Microsoft. 

The third flavor of hosted SharePoint that Microsoft offers is dedicated SharePoint hosting 
for large enterprises. Through this offering, the level of functionality isn't limited by the fact 
that your SharePoint applications are multi-tenant. Instead, you can do anything and every¬ 
thing SharePoint can do because it's your server. Microsoft simply hosts and manages it. 

Finally, there are aspects of SharePoint and its Office Web Applications integrated into 
Microsoft Office Live Workspace and Windows Live, which expose SharePoint functionality to 
small-to-midsized businesses (SMBs) and consumers with a free-to-the-user, advertisement- 
driven model. The experience with Office Live is already so rich that I can only blame poor 
marketing by Microsoft for any inroads made by Google in the SMB collaboration market. 
SharePoint 2010 ups the ante, and I expect Office Live will provide Office Web Applications 
(Word, PowerPoint, and Excel) for free to the same markets. 

The takeaway for your enterprise is that hosted SharePoint has come of age and, unlike 
other companies'web-only offerings, Microsoft gives you the flexibility to mix and match 
internally hosted and externally hosted SharePoint versions. Be sure to give careful thought 
as to how you can leverage both to meet your strategic objectives. 

InstantDoc ID 103512 
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Figure 1: SharePoint 2010's new interface for managing Web applications 


The upgrade to 
SharePoint 2010 pre¬ 
serves the UI of MOSS 
2007 and WSS 3.0, letting 
you leverage the new plat¬ 
form management and 
administration capabili¬ 
ties while letting business 
owners retain control over 
when to unleash the new 
UI, including the Ribbon, 
and the new user fea¬ 
tures. For each upgraded 
site, you can preview the 
new UI and its impact 
on the site by using a 
new feature called Visual 
Upgrade. While a site is in preview state, 
you can continue to make changes to 
it, but only changes that are compatible 
with the earlier version of SharePoint. You 
can switch between the SharePoint 2010 
preview mode and the legacy SharePoint 
compatibility mode. When you're ready to 
commit to the newUI and features, you can 
update the UI and enable SharePoint 2010 
features. 

Improved Administration 

Central Administration has had an extreme 
makeover, resulting in a cleaner layout, 
organized in logical, task-based groupings. 
The Ribbon makes its SharePoint debut, 
making administrative tasks easier to dis¬ 
cover. Figure 1 shows the new interface 
for managing Web applications. You no 
longer have to change Web applications 
within a command; instead, select a Web 
application, then choose a command on 
the Ribbon. 

Central Administration also adds wiz¬ 
ards that make it easier to step through 
common configuration sequences, includ¬ 
ing the initial configuration of a farm. No 
more bouncing back and forth between 
a configuration task list and the actual 
configuration tasks. 

Central Administration isn't the only 
administrative game in town. Stsadm 
.exe continues to provide command-line 
administration capabilities and, new to 
SharePoint 2010, Windows PowerShell lets 
you perform both simple and complex 
configuration and automation. So far, over 
500 PowerShell cmdlets are exposed in 
SharePoint 2010. When SharePoint 2010 


RTMs, Microsoft will publish some useful 
PowerShell scripts, including farm, server, 
and site provisioning scripts, and scripts 
that move data from file servers into Share- 
Point document libraries. 

Many organizations have fought Share- 
Point proliferation—instances of Share- 
Point (particularly WSS) being installed 
on servers by administrators acting out¬ 
side of the SharePoint governance plan. 
SharePoint 2010 addresses this governance 
problem by introducing Active Directory 
markers that let you track SharePoint 
installations, and Group Policy block¬ 
ers to prevent unauthorized SharePoint 
installations. 

High Availability, Recovery, 
and Storage 

SharePoint 2010 introduces a rudimentary 
solution for high availability. A Web appli¬ 
cation can be configured to refer to a sec¬ 
ond instance of SQL Server. If the primary 
instance of SQL Server fails, SharePoint will 
fail over to the second instance. Of course, 
the assumption is that you're leveraging 
SQL Server capabilities such as mirroring 
to replicate the database to the second 
instance. This is an important new feature, 
but it has its limits. First, the solution isn't 
positioned as a solution for geographic dis¬ 
tribution and replication of data. In other 
words, this is for failover, not for a remote 
office to have a local SQL Server instance. 
The entire farm looks at one instance of 
SQL Server or the other—not both. 

Second, and more importantly, 
although the failover story is decent, the 
failback story has its rough spots. My peers 


who have worked with this feature report 
that the process of restoring operations of 
the farm against an up-to-date instance of 
the original SQL Server database is ugly 
and frustrating. So SharePoint 2010's out- 
of-box high-availability solution is a start, 
and might suffice for some businesses, but 
there's still plenty of room for third-party 
high-availability solutions. 

SharePoint 2010 does encroach on 
third-party backup-and-restore solutions. 
Such solutions are all but mandatory with 
SharePoint 2007, which can recover con¬ 
tent only down to the site-collection level 
on its own; third-party utilities are required 
to recover a site, list, library, item, or docu¬ 
ment. SharePoint 2010 lets you natively 
recover sites, lists, libraries, items, and doc¬ 
uments. With unattached content database 
recovery, you can mount a detached con¬ 
tent database and perform operations from 
within Central Administration, including 
browsing content, extracting a document, 
backing up a site collection, and exporting 
a site or list. SharePoint 2010's recovery 
functionality is much improved and will 
address the needs of a broader range of 
enterprises, but still leaves room for func¬ 
tionality and manageability features from 
third-party solutions. 

Many changes have been made to 
improve the way SharePoint stores and 
retrieves content, and additional improve¬ 
ments come with newer editions of SQL 
Server. One of the most important changes 
is Remote BLOB Storage (RBS). This feature 
lets you store BLOBs, such as documents 
in a document library, in a location other 
than the SharePoint content database. The 
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most easily understood example of this is 
an implementation that uses the file system 
provider in order to store document library 
documents on a server's file system, rather 
than in the content database. This storage 
method reduces the size of the content 
database significantly, reduces the impact 
of SharePoint on your SQL Server infra¬ 
structure, moves files to file servers, which 
are cheaper to maintain and support, and 
lets you get past the 2GB BLOB size limit of 
SharePoint. 

Monitoring SharePoint Health 
and Usage 

SharePoint 2010 delivers significant 
improvements in health and configuration 
monitoring, providing what Microsoft calls 
“deep operational insight" into service 
performance and server health. You can 
use the Review problems and solutions page 
in Central Administration, which Figure 2 
shows, to identify potential problems. This 
page shows results generated by using a set 
of rules run periodically and automatically 
through the new Best Practices Analyzer. 
Each problem entry includes a descrip¬ 
tion of the problem and guidance for 
remediation. The out-of-the-box rules are 
customizable—you can even configure a 
rule to automatically correct a problem— 
and the rule definitions are extensible, 
so third parties can add rules. This “Best 
Practices Analyzer on Steroids" is a major 
addition to the health monitoring capabili¬ 
ties of SharePoint. 

You need to know more than whether 
a server is healthy or sick—you also need 
to know how a SharePoint farm is being 
utilized: which sites and pages are being 
hit, and which pages or processes are 


consuming system resources. SharePoint 
2010 introduces a new database to support 
usage reporting and logging, and the uni¬ 
fied logging database keeps track of just 
about everything SharePoint does, from 
individual feature usage to the length of 
time it takes to load a page. 

Some useful analytics reports are built- 
in, such as reports for slowest pages and 
top users, and you can add your own 
reports thanks to the fully documented 
database schema. The usage database 
and logging infrastructure is extensible, 
letting you and third parties log events 
and tracing data and generate customized 
reports. With this kind of insight, you'll 
have the hard metrics you need to tweak 
settings, change page designs, and optimize 
code. 

Governance Over Customizations 

Speaking of code, the Developer Dash¬ 
board lets administrators and developers 
monitor the impact of customizations on 
pages. The Dashboard can be exposed on a 
page to reveal performance and debugging 
information. 

Any custom code has the potential to 
affect other processes and system resources 
on a SharePoint farm. The Developer 
Dashboard provides insight for monitoring 
and debugging, but real control is exerted 
by deploying sandboxed solutions. Using 
sandboxed solutions, deployed as Share- 
Point solutions (.wsp) packages that can 
touch a limited set of APIs, you can isolate 
custom code to prevent it from affect¬ 
ing other processes, and to control the 
resources that can be consumed. You can 
delegate to site admins the ability to upload 
custom user code with the confidence that 


any problems won't harm other apps or 
the farm. Site admins can also be delegated 
the ability to monitor and deactivate the 
feature that enables the problematic cus¬ 
tom code. 

In addition to controlling custom code, 
SharePoint 2010 gives you control over 
other customizations, including look- 
and-feel changes such as themes and 
customizations made using SharePoint 
Designer 2010. Unfortunately, the ben¬ 
efits of developing for and customizing 
SharePoint using Visual Studio 2010 and 
SharePoint Designer 2010 apply only when 
those applications are used against Share- 
Point 2010. In fact, you must use previous 
versions of Visual Studio and SharePoint 
Designer to code for and customize Share- 
Point 2007. If your enterprise includes 
mixed levels of farms, you'll need to sup¬ 
port both customization and development 
environments. This fact alone might make 
you want to upgrade the entire enter¬ 
prise to SharePoint 2010 as quickly as 
possible. 

Governance Over Client 
Integration 

Office 2010 client applications provide 
additional functionality when paired with 
SharePoint 2010. Word, PowerPoint, Excel, 
Access, Outlook, Project, and OneNote 
continue to improve their already strong 
SharePoint integration. Meanwhile, other 
specific applications, such as SharePoint 
Workspaces (formerly known as Groove), 
SharePoint Designer, and InfoPath, will 
see increased use and might be entirely 
new to your organization. When your users 
discover what they can do with these 
applications, your governance plan had 
better explain when 
these applications will 
be supported in your 
organization. 

SharePoint 2007 let 
you enable or disable 
all client integration 
with a single switch. 
SharePoint 2010 adds 
granularity. At the list 
or library level, you 
can enable or disable 
Microsoft Office client 
integration features. 
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Figure 2: The Review problems and solutions page in Central Administration 
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Extended Browser Support 

In some ways, IT pros have it easy with 
SharePoint 2007. Users can access 
SharePoint 2007 only through Internet 
Explorer, and some of my clients have used 
that fact as an excuse to prohibit installa¬ 
tion of Firefox, Safari, and other browsers. 
The good news is that SharePoint 2010 
supports Firefox and Safari, as well as other 
browsers and devices. The bad news is that 
now you might be asked to support those 
browsers. 

List and Library Scalability 

Microsoft has improved the experience 
with lists and libraries in SharePoint 2010, 
which now supports lists and libraries with 
millions of items. Changes to both the back 
end (with improved SQL Server queries) 
and the front end (how web front-end 
servers retrieve and present list and library 
content) make a world of difference by 
balancing the end-user experience with the 
impact on the server infrastructure. 

On the server side, you can configure 
Web application settings that control the 
maximum number of items returned by a 
query generated by a list or library view; the 
default is 5,000 items. You can set different 
limits for administrators and nonadmin- 
istrative users. When a view generates a 
number of items greater than this limit, a 
warning message appears at the top of the 
list informing the viewer that the view isn't 
returning all items. Additionally, a warning 
appears on the List Settings page. 

Web application settings let you set 
what is oddly called the Happy Hour 
window—a period of time each day during 
which query limits aren't applied. You set 
the window to start at a specific time each 
day, seven days a week, to run for a whole 
number of hours. Both the name and 
the lack of granularity of control qualify 
the Happy Hour window as a half-baked 
feature. 

When it's not Happy Hour, views won't 
return more items than the query limit, 
but SharePoint 2010 makes it easy to help 
users dynamically filter data to narrow the 
result set. Metadata can be used to create 
a navigation hierarchy and content filters. 
The result is a tag-based folder hierarchy, 
using keywords or metadata, that filters 
the result set and therefore narrows the 
number of items returned. 


Farm Service Scalability 

Service applications in SharePoint 2010 
replace the Shared Services Provider (SSP) 
model of SharePoint 2007. Forget every¬ 
thing you know about SSPs. The new model 
is radically different, better, and easier. 

SharePoint 2010 has several built-in 
services, including Business Data Con¬ 
nectivity, Visio Graphics Service, Excel 
Services, Office Web Apps, Search, User 
Profile, Web Analytics, and the new Man¬ 
aged Metadata Service, which creates a 
central store for taxonomy and content 
types. Each service runs as an application 
exposed as a Windows Communication 
Foundation (WCF) service on one or more 
application servers in the farm. Consum¬ 
ers such as web parts, typically on web 
front ends, utilize the service. To connect 

Forget everything you 
know about SSPs. Service 
applications in Share- 
Point 2010 are radically 
different, better, and 
easier. 

the consumer to the service, each service 
application has a proxy that knows how to 
talk to the service. 

This architecture, which is completely 
extensible so that third parties can cre¬ 
ate new service applications, offers sev¬ 
eral advantages. First, a service can be 
published to other farms by installing 
the service application proxy on the 
other farm and pointing it to the Uni¬ 
form Resource Identifier (URI) provided by 
Central Administration when you publish 
the service application. Therefore, farms 
can share service applications, provid¬ 
ing unified services for functions such as 
search, taxonomy, data aggregation, and 
analytics. 

Second, Web applications can be con¬ 
figured to use one or more instances of 
a service. For example, a Web applica¬ 
tion for a company's finance department 
can consume a taxonomy service (the 
Managed Metadata Service) that pro¬ 
vides a taxonomy specific for finance, and 


another service that provides a unified, 
enterprise-level taxonomy. 

Third, services can be scaled up in 
times of high demand. If a service is in high 
demand, you can deploy the service appli¬ 
cation to additional application servers. 
When the service proxy queries the farm 
for the location of the WCF service, the 
service architecture returns the instance of 
the service in round-robin fashion, 
including the new application servers. 

Another capability of service applica¬ 
tions is multi-tenancy, which is used to 
partition a service so that it returns a subset 
of data. The classic use of this technique is 
for hosted SharePoint offerings where a sin¬ 
gle Search service is used by several hosted 
customers. Obviously, it's important that 
search results are restricted to each cus¬ 
tomer's data—that a security layer prevents 
leakage of search results. This security is 
achieved by implementing multi-tenancy, 
which adds a subscriber ID field to each 
row of data in the Search service. A site 
collection, which is specific to a customer, 
with that subscriber ID can return results 
only from the service that matches the 
subscriber ID. There will certainly be other 
services and other scenarios—even intra¬ 
net scenarios—in which enterprises will 
want to partition the data returned by a 
single service application. 

Wrapping It Up 

This article has described many sig¬ 
nificant changes for IT professionals in 
SharePoint 2010. Microsoft groups these 
improvements into three categories: 
Increased Productivity, Scalable Unified 
Infrastructure, and Flexible Deployment. 
These high-level groupings obscure some 
of the most important and high-impact 
aspects of SharePoint 2010. I've tried 
to point out the features I think will be 
most welcome—or most half-baked—but 
only time will tell, after enterprises get 
SharePoint 2010 into production. ^ 
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SharePoint 2010: 



Microsoft's 

Thomas Rizzo 

Talks Details 

From migration to social networking, what 
you can expect in SharePoint's future 



homas Rizzo, senior director of SharePoint at Microsoft, took some time to talk about what's 
new and what's coming for SharePoint 2010 with SharePointPro Connections executive edi¬ 
tor Sheila Molnar and her colleague Michael Otey, technical director for Windows IT Pro. 

Molnar and Otey: We understand that you go back quite a ways on Microsoft SQL 
Server before you moved to SharePoint. 


by Sheila Molnar 
and Michael Otey 


Rizzo: I've been at Microsoft for close to 15 years. I worked on the Exchange Server team. 
I worked on the SQL Server team for about 5 or 6 years. And then I worked on the SharePoint team. So 
I worked on all the server products. It's interesting to see Microsoft grow up in the enterprise—starting 
with Exchange Server, then SQL, and now SharePoint as our big enterprise product. 


Molnar and Otey: Do you see it as natural growth for you to have come over to SharePoint? 

Rizzo: SharePoint actually grew out of Exchange, so it's a littie bit of coming home for me. The original 
SharePoint, code-named Tahoe, shipped in 2001. It was built on the Exchange Web Storage System, not 
SQL Server, in the first version. It shipped with Exchange 2000. The Exchange and SharePoint team are 
like one big happy team. And then we decided that the long-term data storage for the company was 
probably not the Exchange Store, because it's a very specialized store for email and that sort of thing. 
At that time I went to work on the SQL Server business. The SharePoint team decided to build on top 
of SQL Server because it was our enterprise database and business intelligence product. When I came 
back to SharePoint, it was like coming home. A lot of the same people who worked on SharePoint in 
2001 still work on SharePoint even today. The same person who founded the team still works there and 
runs it—Jeff Teper. 


Molnar and Otey: SharePoint is certainly one of the hottest server products Microsoft has 
right now. 

Rizzo: Yes, it's the fastest growing. We hit over 1.2 billion dollars last year—17,000 custom¬ 
ers. A lot of people think of SharePoint as just collaboration and intranet search. But we've 
expanded into other areas. A lot of big Internet-facing sites run SharePoint now. So you 
may not even know it, but folks like Kraft and Hawaiian Airlines are on SharePoint for their 
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Internet-facing site. Recovery.gov is 
running SharePoint. 

So that's a big area—growing our 
Internet business. One of our big bets 
was the FAST Search & Transfer acquisi¬ 
tion for 1.2 billion dollars. We wanted 
really high-end search because high- 
end search powers the Internet. We 
worked to integrate the FAST team and 
combined it with SharePoint Web Con¬ 
tent Management to build a really great 
Internet business offering. You'll see in 
the 2010 release how FAST is an integral 
part of the SharePoint offering this year. 
The other area we invested in for the 
2010 release is business intelligence (BI). 
SQL is a major part of the Microsoft BI 
stack, but so is Office with Excel and now 
SharePoint with Performance Point Ser¬ 
vices and Excel Services. It's interesting 
to see SharePoint grow from the original 
three workloads to many workloads. 

Molnar and Otey: With SharePoint 

2010 there are several editions available. 
What are the different offerings? How did 
they come about? 

Rizzo: We retired some things. We got rid 
of some products. But we added more than 
we got rid of. 

Molnar and Otey: What did you 

retire? 

Rizzo: I don't know if you ever heard 
of it—Microsoft Office Forms Server. It 
was our standalone version of InfoPath 
Forms Services inside of SharePoint. You 
could take InfoPath Forms in the Office 
Client and automatically turn them into 
web-based forms inside of SharePoint. 
We thought customers would want to not 
deploy all of SharePoint and just get the 
forms piece. So the Forms Server was for 
that specialty forms customer. But all the 
customers went right to SharePoint; they 
didn't want just a specialty server, so we 
just got rid of it. 

We had some name changes as well. 
We renamed Windows SharePoint Ser¬ 
vices (WSS) to SharePoint Foundation. We 
wanted to make sure people understood 
that it was a foundational product for the 
rest of SharePoint. It's also a platform tech¬ 
nology so developers could get SharePoint 


Foundation and have pretty much the full 
API set of SharePoint. They could start with 
SharePoint Foundation and grow up to the 
full version of SharePoint. 

Molnar and Otey: SharePoint Foun¬ 
dation remains free, doesn't it? 

Rizzo: Yes. It's free. We added new SKUs 
to SharePoint. Some are specialty-based; 
some are based on introducing the FAST 
product line into the SharePoint family. 
One of the new SKUs is called SharePoint 
for Internet Sites, Standard Edition. This 
is part of the investment in the Internet 
business. Today we have SharePoint for 
Internet Sites, targeted at larger websites. 
SharePoint for Internet Sites, Standard 
Edition will be targeted at the small and 
medium-sized website customer, someone 
who wants to run a website but who isn't a 
billion-dollar company. We have a bunch 
of FAST SKUs: FAST Search for SharePoint 
for very high-end search on your Share- 
Point infrastructure or a search for Internet 
apps. There are probably one-and-a-half 
times as many products in 2010 as there 
were in 2007, but it makes sense when you 
look across the board. Another free prod¬ 
uct is SharePoint Designer. We have a new 
version of it. Every SharePoint customer 
should download and install Designer and 
take advantage of it. 

Molnar and Otey: What's the con¬ 
nection between SharePoint and Windows 
PowerShell? 

Rizzo: I'd like your feedback on that! 
We've invested in PowerShell for SharePoint 
2010. We still continue to support our old 
STS ADM. We're telling people that they can 
continue to use it, but it will be deprecated 
over time. PowerShell is a lot more flex¬ 
ible and powerful. We'll ship with over 350 
PowerShell cmdlets in the box to make it 
easy for people. We've been hearing good 
feedback from our IT community. It depends 
on where they've come from. If they've been 
in Windows Server or Exchange they're kind 
of used to PowerShell. Honestly, some peo¬ 
ple we've had to drag kicking and screaming 
from STS ADM over to PowerShell because 
STS ADM is a single command line. With 
PowerShell it might take 10 lines of code to 
do the same thing. 


We think it will help in a lights-out 
operation scenario because PowerShell is 
much, much richer than our command¬ 
line STS ADM; if you don't want to touch 
the server, you want to script everything, 
and you want reporting back and bet¬ 
ter error handling and that sort of thing, 
PowerShell is light-years ahead of what we 
have. 

Molnar and Otey: You'd really want 

to have PowerShell for an integrated man¬ 
agement experience so you'd manage all 
your different servers using PowerShell. 
You wouldn't want something different for 
SharePoint from your other servers. 

Rizzo: Yes. Train your IT folks once 
on PowerShell, and then they can lever¬ 
age PowerShell everywhere. With Power- 
Shell, from a management standpoint, we 
invested in health rules inside of Share- 
Point as well. We took a little bit of learn¬ 
ing from the SQL Server team in terms of 
self-healing. 

SharePoint now will monitor itself, and 
try to heal itself if there's a problem. So it will 
check disk space to make sure it's not run¬ 
ning out of space, and it will check security 
to make sure that you don't have super-user 
accounts across your entire box. We're try¬ 
ing to get much more friendly to IT and 
lights-out operations. 

Molnar and Otey: SharePoint 2010 

has a new best practices analyzer, doesn't 
it? 

Rizzo: That's right. And it's extensible 
so you can plug in your own rules if you 
want to. 

Molnar and Otey: What's the migra¬ 
tion story for SharePoint 2010? 

Rizzo • We support upgrades from Share- 
Point 2007 to 2010. Service Pack 2 of Share- 
Point 2007 shipped an Upgrade Checker, 
so back in April or May of 2009 customers 
could start running it against their 2007 
environment, understand where the got- 
chas may be, and start fixing those gotchas. 
We won't support upgrades from 2003 to 
2010—you have to go through 2007. From 
2007 to 2010 should be a pretty seamless 
process for the customer. 
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MolnarandOtey: Aren't there vendors 

available for upgrades from earlier versions? 

Rizzo: We have over 5,000 partners on 
SharePoint, so many of them would be 
happy to consult on that, and we have ISVs 
as well. 

Molnar and Otey: Isn't SharePoint 

2010 64-bit only? 

Rizzo: Yes. It's 64-bit only, Windows 
Server 2008, Internet Explorer (IE) 7 and 
above. It requires SQL Server 64-bit. We're 
following Exchange there. Exchange went 
64-bit only in 2007. We found that a lot of 
customers ran into problems with 32-bit. 
They weren't giving enough memory to 
SharePoint, and they expected to do amaz¬ 
ing things in the 3GB memory space that 
we had, so 64-bit will make it a lot more 
performant. Unfortunately, we had to cut 
support for IE 6 from the browser. IE 6 is 
10 years old and it's not compliant with 
XHTML and not strict in terms of the 
checking it does of HTML. So to meet mod¬ 
ern standards, we had to remove IE 6. 

MolnarandOtey: Isn't that painful for 

some customers? 

Rizzo: It's painful for customers that have 
lots of desktops running IE 6. But moving to 
XHTML, we can now be much more acces¬ 
sible in terms of people with disabilities, as 
well as better at supporting browsers like 
Firefox and Safari. 

Molnar and Otey: Firefox was just 

added in, right? 

Rizzo: Yes, Safari and Firefox 3 and above 
were added, and IE 7 and IE 8. Any that are 
XHTML-compliant will be supported. 

Molnar and Otey: How would 

you describe SharePoint's role in social 
networking? 

Rizzo: That was another big investment 
area for us. We've had MySite since 2003, so 
we had Facebook-like sort of stuff. In 2007 we 
added a whole host of new social features. 

Customers have been slow to adopt it. 
People on the Internet are more forgiving 
around Facebook and MySpace and those 
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sorts of things. But bringing Internet 
technology to the enterprise—customers 
have to worry about security, privacy, 
and so on. So a translation takes place. 
We've seen good adoption of the MySite 
technologies—folks like Accenture and 
Electronic Arts run MySite. They personal¬ 
ize sites for all their employees. In 2007 we 
invested even more in things like blogs, 
wikis, RSS feeds, activity feeds—so you 
know what's happening in your social 
network, like birthdays or changes in office 
numbers or phone numbers or information 
on document tags. You're being told what's 
happening in your social network rather 
than having to go and query to find out. 

We do support activity feeds and also 
taxonomies—folksonomies as well as cor¬ 
porate taxonomies. We support both a 
top-down corporate taxonomy where an 
IT department says, "Here's the 50,000 
tags you can use inside of our company 
so we can quickly find things," and a follcs- 
onomy where you use Digg or Del.icio. 
us, for example, to do a social tag. So you 
can have bottom-up tagging, and then 
promote those tags to a corporate tag once 
you find lots of people are using that tag. 
Things like social bookmarks and organi¬ 
zational browsing are supported within the 
SharePoint 2010 platform. 

Molnar and Otey: What does the 

future look like for SharePoint? You've come 
so far so rapidly. What does the next decade 
look like? 

Rizzo: You can see where we've made 
our investments, so that's no surprise. We'll 
continue to invest in enhancing across all 
the workloads of SharePoint. We're not 
done in Search or in Enterprise Content 
Management. We'll keep turning the crank 
on social and portal—that will be a definite. 
The other big investment for us is moving 
to the cloud. 

We do have SharePoint Online. It's doing 
well. We only released it a year and a bit 
ago—the multi-tenant version. We've had 
the dedicated version of SharePoint Online 
where customers like GlaxoSmithKline use 
it. You outsource your IT to Microsoft pretty 
much. 

The multi-tenant version targets more, 
smaller customers. The larger customers 
tend to go with dedicated. We've been 
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adding tons of customers in the multi¬ 
tenant space, and in 2010 we'll add more 
functionality into the multi-tenant space. 

Molnar and Otey: Will there be a 

SharePoint Azure? 

Rizzo: Yes. It's called SharePoint Online. 
What else will come? [We have] lots of ideas. 
Now that we're closing down the 2010 prod¬ 
uct, we're thinking about what will go in the 
next release. It's all blue sky—there's lots 
of thinking around search, the way search 
affects the way people work. 

One of the things we think about is how 
search changes the way you navigate your 
content, so that navigation is no longer 
static. It becomes dynamic based on search 
queries. We talk about that as query-less 
search or search-driven navigation. 

And how does social play into that? In 
2010, SharePoint will pop you a list of what's 
popular based on either search queries 
or page views, and we use our analytics 
engine to actually discover all of that for 
you. So right on the page you can say, "Oh, 
ten people are viewing these ten pieces of 
content—it might be good content." 

We implemented social search in 2010. 
We take your search results, look at your 
colleague network, ask what they clicked on, 
and rank that content higher just based on 
the algorithm that we have. 

We think people in your social net¬ 
work are similar to you, so we'll surface 
content based on that social network. We 
make sure SharePoint is completely search 
and socially aware no matter where you are 
in the product. ^ 
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PowerShell Scripts 


Is as Easy as 


by Bill Stewart 



A s you probably know, PowerShell is Microsoft's latest Windows OS shell and scripting 
tool. A shell is a program that provides a user interface for the OS. When we're talking 
about PowerShell, the "shell" part usually refers to its command-line interface (CLI). A 
CLI is a basic user interface that lets you enter a command (or a series of commands) at 
a prompt. When you press Enter, the shell performs an action, then the CLI displays the 
prompt again and waits for another command. 

At first, a CLI might not seem as efficient as a graphical user interface (GUI) because you have 
to type in commands, making sure of spelling, spacing, quotes, etc. However, command shells have 
always supported some form of batch execution, which is also called scripting. A script is simply a 
list of commands stored in a text file that you can execute on demand. PowerShell is no exception— 
although PowerShell is an excellent CLI, it becomes even more flexible with the use of scripts. A 
PowerShell script is simply a text file with a .psl extension that contains a list of commands PowerShell 
should execute. 

However, PowerShell's secure by default philosophy prevents all scripts from running, so double¬ 
clicking a PowerShell script from Windows Explorer won't execute it. Also, PowerShell doesn't execute 
scripts from the current directory. The good news is that you don't have to be a PowerShell guru if all 
you want to do is run PowerShell scripts. Simply follow these steps: 

1. Install Windows PowerShell. 

2. Set PowerShell's execution policy. 

3. Run your PowerShell scripts, keeping a few important details in mind. 


What you need 
to know about 
PowerShell's 
secure by default 
philosophy 


1. Install Windows PowerShell 

If you have Windows 7 or later, you don't need to install PowerShell because it comes preinstalled with 
the OS. If you're using Windows Vista or earlier, you need to download and install PowerShell. Windows 
XP and Windows Server 2003 also require the Microsoft .NET Framework 2.0. (The .NET Framework 
2.0 SP1 is required for PowerShell 2.0.) You can find the links to the downloads on the "Scripting with 
Windows PowerShell" web page (technet.microsoft.com/en-us/scriptcenter/dd742419.aspx). 


2. Set PowerShell's Execution Policy 

As I mentioned previously, PowerShell is secure by default. The first implication of this philosophy is 
that PowerShell won't execute scripts until you explicitly give it permission to do so. PowerShell has four 
execution policies that govern how it should execute scripts: 

• Restricted. PowerShell won't run any scripts. This is PowerShell's default execution policy. 

• AllSigned. PowerShell will only run scripts that are signed with a digital signature. If you run a 
script signed by a publisher PowerShell hasn't seen before, PowerShell will ask whether you trust 
the script's publisher. 
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Properties 
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PowerShell 


Figure 1: Running PowerShell under elevated permissions in 
Vista and later 


Get-DirStats.psl Properties 



m 

G et-D irS tats, psl 


Type of file: 

PS1 File (.psl) 


□ pens with: 

| Notepad 

Change... 

Location: 

C:\bin\scripts 


Size: 

4.75 KB (4.864 bytes) 


Size on disk: 

8.00 KB [8,182 bytes) 


Created: 

Today, September 21,2008, 3 minutes ago 

Modified: 

Today, September 21,2009, 2 minutes ago 

Accessed: 

Today, September 21,2009, 3 minutes ago 


Attributes: 

Security: 


Read-only □ Hidden 

This file came from another 
computer and might be blocked t( 
help protect this computer. 


Advanced... 



QK 


Cancel 


Apply 


Figure 2: Using the Unblock button 


• RemoteSigned. PowerShell won't run 
scripts downloaded from the Internet 
unless they have a digital signature, 
but scripts not downloaded from the 
Internet will run without prompting. If a 
script has a digital signature, PowerShell 
will prompt you before it runs a script 
from a publisher it hasn't seen before. 

• Unrestricted. PowerShell ignores digital 
signatures but will still prompt you 
before running a script downloaded 
from the Internet. 

To display the current execution policy, you 
need to enter the command 

Cet-ExecutionPolicy 

at a PowerShell prompt (which will look 
like PS C:\> assuming the current location 
is C:\). To set the execution policy, enter 
the command 

Set-ExecutionPol icy policy 


where policy is one of the policy names (e.g., 
RemoteSigned). 

Setting the execution policy requires 
administrator permissions. In Vista and later, 
you must run PowerShell with elevated per¬ 
missions if you're already an administrator 
and User Account Control (UAC) is enabled. 
To run PowerShell under elevated permis¬ 
sions in Vista and later, right-click its shortcut 
and choose Run as administrator, as Figure 1 
shows. If you're logged on to XP or Windows 
2003 as a standard user, you can right-click 
the PowerShell shortcut, choose Run as, and 
enter administrator account credentials. 

One thing that's important to understand 
about execution policies is the meaning of 
the phrase "downloaded from the Internet." 
In Windows, this phrase means that the file 
has an alternative data stream that indicates 
the file was downloaded from the Internet 
zone. To unblock a script, right-click the .psl 
file, choose Properties, then click the Unblock 
button, as shown in Figure 2. My web-exclu- 
sive article "Dealing with XP SP2's Security 


Warning Dialog Boxes" (www.windowsitpro 
.com, InstantDoc ID 47535) provides more 
complete details about the alternative data 
stream and how Windows uses it. 

I recommend setting the execution pol¬ 
icy to RemoteSigned because this execution 
policy lets you write and run scripts on 
your own computer without having to sign 
them with a code-signing certificate. You'll 
still be prevented from running a script 
downloaded from the Internet unless you 
explicitly unblock it first. To set the Remote¬ 
Signed execution policy, enter the following 
command at a PowerShell prompt: 

Set-ExecutionPolicy RemoteSigned 

Microsoft also provides an administra¬ 
tive template (.adm file) for managing 
PowerShell's execution policy through a 
Group Policy Object (GPO), which you 
can download from the "Administrative 
Templates for Windows PowerShell" web 
page (www.microsoft.com/downloads/ 
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details.aspx?FamilyID=2917a564-dbbc- 
4da7-82c8-fe08b3ef4e6d). 

3. Run Your PowerShell Scripts 

After configuring the execution policy, 
you can run PowerShell scripts. To run a 
script, open a PowerShell window, type 
the script's name (with or without the .psl 
extension) followed by the script's param¬ 
eters (if any), and press Enter. In keeping 
with PowerShell's secure by default phi¬ 
losophy, double-clicking a .psl file from 
Windows Explorer opens the script in 
Notepad rather than executing the script 
with PowerShell. 

Whenyou're running PowerShell scripts, 
you need to keep in mind several details, 
the first of which concerns a new option in 
PowerShell 2.0. When you right-click a .psl 
file, PowerShell 2.0 provides a Run with 
PowerShell option, but I don't recommend 
using it for two reasons: 

1. When you use this option, the 
PowerShell window closes immediately 
after the script finishes. Because most 
PowerShell scripts aren't written to pause 
when they're finished, you'll miss any out¬ 
put the script provides and any errors the 
script might encounter. 

2. Many PowerShell scripts use com¬ 
mand-line parameters that control their 
behavior. There's no way to enter param¬ 
eters when using this option. 

For these reasons, I recommend running 
PowerShell scripts from a PowerShell 
command window instead. 

Another important detail to keep in mind 
when running scripts is that PowerShell 
doesn't run them from the current directory. 
Instead, it uses the Path (which is a comma- 
delimited list of directories, stored in the 
Path environment variable, that Windows 
searches for executable files). If you type a 
script's name (but not its location) and the 
script isn't found in the Path, PowerShell won't 
run it, even if the script is in the current direc¬ 
tory. This is another aspect of PowerShell's 
secure by default philosophy. PowerShell 
doesn't run scripts in the current directory, 
to prevent the scenario in which an attacker 
puts a bogus script in the current directory 
with the same name as a commonly used 
command. If PowerShell ran scripts from the 
current directory first, a user might unwit¬ 
tingly run the rogue program by accident. 
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By ignoring scripts in the current directory, 
PowerShell avoids this potential problem. 

To explicitly run a script from the cur¬ 
rent directory, you must prefix the script's 
name with A or ./ so that PowerShell 
understands you intend to run it from the 
current location. For example, suppose 

If you simply type 
the script's name 
in quotes like you 
did in Cmd.exe, 
PowerShell assumes 
the pathname is a 
string and outputs 
the pathname 
instead of running 
the script. 

the directory C:\Scripts isn't in the Path 
and the following script, called Hello World 
.psl, exists in C:\Scripts. 

Write-Host "Hello, world" 

Read-Host "Press Enter to continue" 

If you enter these commands at the Power- 
Shell prompt 

PS C:\> Set-Location C:\Scripts 
PS C:\Scripts> HelloWorld 

PowerShell won't run HelloWorld.psl, even 
though the current location is C:\Scripts. 
(Note that I included the prompts you'd 
see, for demonstration purposes. You 
wouldn't type these prompts when enter¬ 
ing the commands.) Instead of the second 
command, you need to type one of the fol¬ 
lowing commands: 

PS C:\Scripts> .\HelloWorld 
PS C:\Scripts> ./HelloWorld 

Because PowerShell doesn't execute scripts 
from the current directory, I recommend 
that you create a directory, add this direc¬ 
tory to your Path, and store your PowerShell 


scripts in this directory. That way, you can 
avoid any problems. 

The final detail you need to remember 
when running PowerShell scripts is that you 
need to handle spaces differently than you 
did in Cmd.exe. When a script's pathname 
contains spaces, you have to surround it 
with double quotes (") to run it in Cmd.exe. 
For example, in Cmd.exe, you'd type: 

C:\> "C:\Program Files\Scripts\ 
HelloWorld" 

to run a script named C:\Program Files\ 
Scripts\HelloWorld.cmd. (Although this 
command wraps here, you’d enter it all 
on one line.) Quoting a script's path to run 
it won't work in PowerShell, because the 
presence of double quotes causes Power- 
Shell to evaluate the pathname as an 
expression rather than a command. If you 
simply type the script's name in quotes like 
you did in Cmd.exe, PowerShell assumes 
the pathname is a string and outputs the 
pathname instead of running the script. 
To work around this, you can use Power- 
Shell's invocation operator, &, to execute 
the quoted string as a command, as in 

PS C:\> & "C:\Program Files\Scripts\ 
HelloWorld" 

(Although this command wraps here, you’d 
enter it all on one line.) Because you must 
use the & operator and quotes to execute a 
script that has spaces in its pathname, I rec¬ 
ommend that you don't use spaces in your 
scripts' names when creating your own 
scripts. In addition, if you create a directory 
in which to store scripts, make sure you 
leave out spaces in its name as well. 

Run Scripts With Ease 

You don't need to be a PowerShell or 
scripting expert to run PowerShell scripts 
with ease. Simply follow these three steps 
and you'll be running PowerShell scripts 
in no time. ^ 
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You don't have to be an 
expert at cooling your 
server room. We are. 

APC integrated cooling future-proofs your 
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Is your server room a barrier to adopting new technologies? 

Consolidation. virtualization, network convergence, blade servers—these new tech¬ 
nologies improve efficiency cut costs, and allow you to H do more with less/ 1 But 
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rooms were never designed to handle. You’re relying on guesswork, depending on 
building air conditioning, or improvising remedies. So, how can you increase the level 
of reliability and control in your server room without spending a fortune? 

introducing the APC by Schneider Electric total server room solution 
Now you can get power, coding, monitoring, and management components 
that easily deploy together as a complete, integrated solution. Everything has 
been pre-engineered to work together and integrate seamlessly with your existing 
equipment. Just slide this proven, plug-and-play solution into most existing spac¬ 
es—there's no need for confusing cooling configurations or expensive mechanical 
re-engineering. The modular, "pay as you grow" design lets you be 100 percent 
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ievel monitoring sensors, intelligent controls built into the cooling unit, and inte¬ 
grated management software provide complete remote control and unprecedented 
visibility into the entire system. Simply add power protection (like undisputed best- 
in-class Smart-UPS or Symmetra units) and you have a total solution for today, 
tomorrow, and beyond. 


server cabinets, with extreme noise reduction, 
designed for office environments. 
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by Jan De 


S erver virtualization allows hosting of different virtual guest computer environments on one 
physical host computer. Organizations can use server virtualization to consolidate servers; 
build more cost-efficient and effective development, test, and preproduction environments; 
simplify disaster recovery; and easily port virtual servers across different hardware platforms. 

Microsoft provides two server-virtualization solutions. The first is Microsoft Virtual 
Server—a free software package that you can use to build virtual servers on top of Windows 
Server 2003, Windows XP, and Windows Vista. Microsoft's most recent server virtualization solution is 
Hyper-V—an integral part of Windows Server 2008. Like Microsoft Virtual Server, Hyper-V allows for the 
virtualization of both Windows and non-Windows OSs. 

This article focuses on the security aspects of the Hyper-V virtualization solution. It explains how 
securing virtual servers is different from the way you secure physical servers. With the guidance and best 
practices offered in the article, you'll be better able to protect your Hyper-V virtualization infrastructure. 
To start, let's look at the defenses Microsoft built into the Hyper-V architecture. 


Hints for better 
securing your 
virtualization 
environment 


Hyper-V Architectural Defenses 

When Hyper-V loads, it creates a thin abstraction layer (less than 1MB) called the hypervisor. It oper¬ 
ates between the physical server hardware and the host OS. The hypervisor interfaces directly with the 
server hardware and loads before the host OS starts. You could also define the hypervisor as a mini OS 
that allows for the virtualization of other OSs on top of it. All OSs that run on a Hyper-V server (both the 
virtualized ones and the host OS) always run inside a virtual machine (VM) that's under the watchful 
eye of the hypervisor. Virtual Server uses a different approach in which the host OS runs beside the 
virtualization layer, and the host OS also directly interfaces with the hardware. 

To support hypervisor-based virtualization, your system's processor must support what is referred 
to as hardware-assisted virtualization. This feature is commonly supported on state-of-the-art pro¬ 
cessors, such as the Intel VT and AMD-V processor lines. Processors that support hardware-assisted 
virtualization provide a highly privileged layer in the processor ring architecture that keeps the execu¬ 
tion environment of the hypervisor fully separated and isolated from the rest of the system. 

The hypervisor performs critical tasks such as memory management and ensures security isolation 
between the host OS and the different virtualized OSs. In Hyper-V the environment in which the host OS 
or a virtual OS runs is known as a partition. You could also define a partition as a basic unit of isolation. 
The partition that runs the host OS is called the parent partition, and the partitions that run virtualized 
OSs are called child partitions. 

The parent partition is a privileged partition. It creates and manages child partitions, owns the resources 
not owned by the hypervisor, and takes care of power management and the management of hardware- 
failure events. 

The parent partition must run 64-bit Server 2008. Microsoft's choice of 64-bit for the parent partition 
is primarily driven by 64-bit platforms' expanded memory and processing facilities. More memory simply 
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allows for more VMs on one platform. But 
64-bit Windows also brings security advan¬ 
tages: 64-bit Windows doesn't include legacy 
code and has been built from the ground up 
using the Microsoft Security Development 
Lifecycle (SDL) methodology. Microsoft 
developed SDL for building more secure 
software and to add more repeatability and 
predictability to the software development 
process. SDL tries to make software devel¬ 
opment more of a science than an art. You 
can find more information about SDL in 
the article "Microsoft Security Development 
Lifecycle" at www.microsoft.com/sdl. 

Given the important role of the hypervi¬ 
sor from a partition isolation point of view, 
and to further reduce the hypervisor's attack 
surface, Microsoft limits the code and services 
that run inside the hypervisor. The hypervisor 
doesn't include I/O stacks or device driv¬ 
ers. Child partitions communicate with the 
physical hardware through device drivers 
that are running in the parent partition. This 
approach to dealing with device drivers is 
referred to as a micro-kernelized hyper¬ 
visor architecture. Although this architecture 
reduces the security risks for the hypervisor, it 
creates extra risks for the parent partition. For 
example, faulty or malicious device drivers 


(2) SecurAble - What securit^eatures are available? ^ 


fit SecurAble examines this system's processor to 
‘ determine which of three useful security features 
are available. Security freeware by Steve Gibson. 


AMD Turion 64 X2 Mobile Technology TL-52 


Maximum 
Bit Length 


Hardware 

D.E.P. 


Click any of the three items above to view additional detailed information 
about the security impact and consequences of each of these features. 


S ecurAble version: [1.0.2570.1 ] 

Copyright (c) 2007 by Gibson Research Corporation. 


Figure 1: Using the SecurAble tool to check Hyper-V hardware 
requirements 


might expose the parent partition. In the sec¬ 
tion titled "Protecting the Parent Partition," I 
give some advice on how you can harden the 
Hyper-V parent partition. 


Leveraging Hardware 
Security Features 

Hyper-V can leverage state-of-the-art hard- 
ware-related security features such as Data 
Execution Prevention (DEP) and Address 
Space Layout Randomization (ASLR). DEP 
is a buffer overrun prevention technique 
that prevents the injection of executable 
malicious code into data buffers in system 
memory. Hyper-V requires hardware-based 
DEP enforcement, which means you must 
have a processor that supports the No Exe¬ 
cute (NX—the AMD term) or the execute 
Disable (XD—the Intel term) features. ASLR 
is a malware protection feature that ran¬ 
domizes the memory location of critical files 
between system reboots. Thus, it cripples 
malware (e.g., worms, Trojans) that repeat¬ 
edly target the same memory address on 
different machines. For more information 
about DEP and ASLR, see "Vista and Server 
2008 Malware Protection Gems" (March 
2008, InstantDoc ID 98005). 

Earlier in the article, I mentioned three 
importanthardware require¬ 
ments that Hyper-V lever¬ 
ages, directly or indirectly, 
as security defenses: hard¬ 
ware-assisted virtualization, 
hardware-based DEP, and 
64-bit support. To check 
whether your system sup¬ 
ports these requirements, 
you can use the SecurAble 
freeware tool. If you have an 
AMD-V processor, you can 
use the AMD-V Hyper-V 
Compatibility Check util¬ 
ity. You can download the 
SecurAble tool from www 


m — 


Hardware 

Virtualization 


.grc.com/securable.htm and the AMD tool 
from www.amd.com/us-en/assets/content_ 
typ e / utilitie s / AMD - V_Hyp er-V_C o mp at- 
ibility_Check_Utility.zip. Figure 1 shows the 
SecurAble tool interface; Figure 2 shows the 
AMD tool. 

The SecurAble tool has an important 
warning: "Passing the three SecurAble tests 
(64-bit support, hardware DEP, and hard¬ 
ware virtualization support) on a machine 
with an AMD processor doesn't always 
guarantee that you can install and run 
Hyper-V on your machine." The tool doesn't 
check for the presence of certain AMD chip- 
sets and BIOS versions that are required to 
run Hyper-V. When you have an AMD pro¬ 
cessor, it's safer to also run the AMD utility. 
I ran both tools against my AMD Turion 
processor, and the results are illustrated in 
Figures 1 and 2. Notice that even though my 
processor passed the SecurAble tests, the 
AMD tool reports that my processor isn't 
compatible with Hyper-V. 

Another interesting thing you might 
experience when you use SecurAble on 
a Server 2008 system that has Hyper-V 
running is that the tool reports that your 
processor doesn't support hardware virtu¬ 
alization, even though it told you your pro¬ 
cessor did support hardware virtualization 
before you installed Hyper-V. In this case 
there is nothing wrong with the SecurAble 
tool; this just illustrates one of the aspects of 
the Hyper-V hypervisor architecture. When 
the hypervisor launches, it hides certain 
CPU capabilities to the partitions running 
on the host (including the parent partition). 
It does this so that no software in the parent 
or guest OSs tries to use CPU functional¬ 
ity (e.g., hardware virtualization) that the 
hypervisor controls. 

After you run these tools, to get started 
with Hyper-V, you must first install a 
Server 2008 64-bit OS. Then you install 
the Hyper-V bits (which you get from 




AMD-V™ Technology and Microsoft® Hyper-V™ System Compatibility Check 


Test Results from Microsoft® Hyper-V™ compatibility check for systems with AMD processors 


AMD£1 

Smarter Choice 


This system is not compatible with Hyper-V™. 

This utility detected that a necessary BIOS patch is not installed. 

Please contact your system vendor to determine whether a BIOS upgrade is available. 

If so, upgrade your BIOS and re-run the utility. 

If not, consider upgrading to a new AMD 64 system to get the latest in virtualization capabilities, performance, and power efficienc 
AMD's most current processors do not require a BIOS patch to run Hyper-V™. 

Close I 


Figure 2: Using the AMD-V Hyper-V Compatibility Check utility to check Hyper-V hardware requirements 
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www.microsoft.com/downloads/details 
.aspx?FamilyId=6067CB24-06CC-483A- 
AF92-B919F699C3A0). Finally, addHyper-V 
support by enabling the Hyper-V server role 
and reboot your system. 

Protecting the Parent Partition 

In the section on Hyper-V architectural 
defenses I referred to the critical role of the 
parent partition—the partition that runs the 
64-bit Server 2008 host OS on a Hyper-V 
server. Next I will explain how you can 
reduce the attack surface of the parent 
partition to provide a better defense-in¬ 
depth for your Hyper-V virtualization server 
and the VMs it hosts. To secure the parent 
partition, you can leverage the Server Core 
Server 2008 installation option, as well as 
the Authorization Manager (AzMan) and 
BitLocker Drive Encryption (BDE) Server 
2008 features. 

Another approach to securing the 
Hyper-V parent partition is to use the 
standalone Hyper-V Server 2008 software 
for your virtualization server instead of 
installing Hyper-V on top of Server 2008 
Standard, Enterprise, or Datacenter Edition. 
Hyper-V Server 2008 offers an out-of-the- 
box, small footprint, GUI-less virtualization 
platform—but doesn't support interesting 
features such as Windows Failover Cluster¬ 
ing (WFC), an important high-availability 
provider as I explain later. 

Server Core is a Server 2008 server 
installation option that provides a minimal 
environment for running certain server 
roles such as a domain controller (DC), 
a file server, and also the Hyper-V role. 
Server Core significantly reduces the main¬ 
tenance requirements and the attack sur¬ 
face of a Windows server, and it’s a security 
best practice to install your Hyper-V server 
on a Server Core installation. For detailed 
information on how to install Hyper-V on 
Server Core, read the Microsoft "Hyper-V 
Planning and Deployment Guide" at www 
.microsoft.com/downloads/details.aspx? 
FamilyID=5DA4058E-72CC-4B8D-BBB 1-5- 
E16A136EF42. 

A Server Core installation doesn't 
include the traditional Windows GUI, and 
if you want to configure it locally you 
must do so from the command prompt. 
But you can also manage a Server Core 
server remotely using a Terminal Server 
connection, or using Microsoft Management 


Console (MMC) or command-line tools 
that support remote use. To manage your 
Hyper-V server remotely from a Server 
2008 or Vista SP1 machine, you can use 
the MMC Hyper-V Manager snap-in that's 
included in the software update pack¬ 
ages described in the following Microsoft 
articles. For Server 2008, see the Micro¬ 
soft article "Description of the update 
for the release version of the Hyper-V 
technology for Windows Server 2008" 
(support.microsoft.com/kb/950050); for 
Vista SP1, see "Description of the Win¬ 
dows Vista Management Tools update for 
the release version of Hyper-V" (support 
.microsoft.com/kb/952627). 

To honor the principle of least privilege 
and to ensure that VM administrators can 
manage only their own VMs and can't touch 
the parent partition, you should lock down 
the permissions given to VM administrators. 
On a Hyper-V server you can leverage the 
Authorization Manager (AzMan) to define 
specific roles for VM administrators and to 
ensure that they have permissions only on 
their respective VMs. Microsoft introduced 
AzMan in Server 2003 to let developers and 
administrators easily add role-based access 
control (RBAC) rules to their applications. 
Unfortunately, few Windows administrators 
have used AzMan or know how to configure 
it. For an excellent description of how to set 
up AzMan for delegating permissions on a 


Hyper-V server, see Dung K. Hoang's blog 
at dungkhoang.spaces.live.com. Figure 3 
illustrates how you can configure AzMan 
RBAC rules for Hyper-V from the MMC 
Authorization Manager snap-in. A Microsoft 
product worth mentioning in this context 
is System Center Virtual Machine Manager 
(VMM), Microsoft's enterprise management 
solution for managing virtualization servers 
and their VMs. VMM reduces the complexity 
of configuring and managing AzMan autho¬ 
rization rules, because the tool does this for 
you. More information about VMM is avail¬ 
able at the System Center Virtual Machine 
Manager 2008 R2 page at www.microsoft 
.com/systemcenter/virtualmachinemanager 
/en/us/default.aspx. 

BDE is a volume-level encryption solu¬ 
tion that Microsoft bundles with Server 
2008 and Vista. BDE offers offline data 
protection, meaning that it ensures that 
data is in an encrypted state when your 
Windows machine is not powered up or 
operating. BDE also enforces a multifactor 
authentication sequence when the pro¬ 
tected system is booted. This ensures that 
malicious persons can't bypass the BDE 
protection by booting the system from 
another OS or using a hacking tool. You 
can use BDE on Hyper-V machines for 
securing access to volumes that con¬ 
tain VM-related files such as virtual hard 
disks (VHDs) and configuration files. 



Figure 3: Using the MMC Authorization Manager snap-in to define Hyper-V delegation settings 
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You can find more detailed information 
about Hyper-V BDE support in the Micro¬ 
soft white paper “Windows Server 2008 
Hyper-V and BitLocker Drive Encryption" 
at www.microsoft.com/downloads/details 
.aspx?FamilyID=2c3c0615-baf4-4a9c-b613- 
3fdal4e84545. 

Finally, you must also remember the 
following “classical" security best practices 
to secure the Hyper-V parent partition. 
You should never install or run unneeded 
applications in the parent partition, and 
you should define a dedicated physical NIC 
to manage the parent partition. This rule 
implies that you should never expose the 
dedicated management NIC to untrusted 
network traffic. Thus, you must set up a 
separate VLAN for the management LAN, 
leverage strong authentication tools such 
as smart cards for administrator access to 
the management LAN, and not give any 
VM access to the NIC that's used for parent 
partition management. 

Patching VMs 

Like for any other Windows machine, keep¬ 
ing your VMs up-to-date with the latest 
software and security patches and fixes is 
important. As for physical servers, you can 
use standard Microsoft automatic patching 
solutions such as Windows Update, Windows 
Server Update Services (WSUS), or System 
Center Configuration Manager (SCCM). 

An interesting patching problem is how 
to ensure that your VMs are adequately 
patched before they are turned on in a pro¬ 
duction environment. Organizations typi¬ 
cally build a standard VM image, update it 
with the latest patches, then leave it in that 
state until the need arises to create a new 
VM based on that image. To deal with the 
patches that were released in the period 
between the creation of the image and the 
introduction of a new VM based on that 
image in the production environment, you 
need additional automated patching tools. 
Failing to use automated tools will leave a 
window of opportunity for malware to infect 
the machine when it's introduced in produc¬ 
tion and before it receives the latest patches. 

A good solution is to create so-called 
maintenance hosts. A maintenance host is a 
machine that you reserve for patching stored 
VM images before they are released to produc¬ 
tion. The notion of maintenance hosts is also 
supported in VMM. 
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Microsoft also provides a special tool 
called the Offline Virtual Machine Servicing 
Tool to help customers adequately patch 
VM images. The Offline Virtual Machine 
Servicing Tool manages the workflow for 
updating large numbers of offline VMs. The 
tool works with VMM and with Microsoft's 
enterprise-level software update manage¬ 
ment systems WSUS and SCCM. You can 
learn more about how to set up mainte¬ 
nance hosts in the TechNet article “Plan¬ 
ning for Hosts" at technet.microsoft.com/ 
en-us/library/bb963750.aspx. You can 
download the Offline Virtual Machine Ser¬ 
vicing Tool from technet.microsoft.com/ 
en-us/library/cc501231.aspx. 

Ensuring High Availability 

Patching your VMs is important, but it's 
equally important to ensure the high avail¬ 
ability of your virtualization servers and 
their VMs. Clusters are a typical answer to 
the high-availability question. In Server 
2008, Microsoft includes important changes 
for its Windows-based failover cluster sup¬ 
port, WFC. The WFC enhancements include 
simplifications in cluster setup and configu¬ 
ration, and enhancements in the areas of 
reliability, stability, scalability, networking, 
and security. In Server 2008, Microsoft also 
makes it easy to leverage WFC for building 
clustered Hyper-V servers. 

If you're not familiar with clustering 
terminology, a failover cluster is a group of 
computers that work together to provide 
high availability for applications and ser¬ 
vices. The clustered computers (known as 
cluster nodes) are interconnected via physi¬ 
cal cables and software. If one of the cluster 
nodes fails, the cluster logic ensures that 
another cluster node automatically starts to 
provide the service. The process of switch¬ 
ing between nodes is called cluster failover. 

You can use Server 2008 WFC to set up 
a two-node cluster for the Hyper-V parent 
partition and configure the VMs as cluster 
resources. The VMs can then fail over to 
a different node when one of the cluster 
nodes fails. For information about setting 
up a clustered Hyper-V server, see the Tech- 
Net article “Hyper-V: Using Hyper-V and 
Failover Clustering" at technet.microsoft 
.com/ en-us/library/ cc732181. aspx. 

You can also benefit from WFC for per¬ 
forming maintenance and servicing tasks 
on your Hyper-V server's parent partition 


(the host OS) with minimal production 
disruption. For example, if you want to 
apply the latest security patches on the 
active node of your Hyper-V cluster, you 
can manually fail over the cluster to the 
passive node. Microsoft refers to this as 
Hyper-V “Quick Migration." For more 
information about Quick Migration, see 
the Microsoft white paper “Quick Migra¬ 
tion with Hyper-V" at download.microsoft 
.com/download/3/B/5/3B51A025-7522 
-4686-AA16-8AE2E536034D/Quick%20 
Migration%20with%20Hyper-V.doc. Even 
though WFC Quick Migration is nice from 
a high-availability point of view, it's not the 
same as migrating a machine in its run¬ 
ning state. Microsoft includes live migration 
support in the Server 2008 R2 version of 
Hyper-V. Live migration can also be done 
with other virtualization solutions such as 
VMware's VMotion or XenServer's Xen- 
Motion. 

Virtually Secure 

I've given you a basic understanding of 
Server 2008 Hyper-V architecture and illus¬ 
trated how Microsoft designed Hyper-V with 
security and defense-in-depth in mind. I 
also pointed out some areas in which secur¬ 
ing VMs is somewhat different or more com¬ 
plex than securing physical machines. 

This isn't an exhaustive list of the secu¬ 
rity measures you should take for your 
virtualization servers. For example, I didn't 
emphasize that on a VM, it's as important 
to run antivirus and antispyware tools, and 
to keep these tools up-to-date, as it is on 
your physical machines. Microsoft plans to 
include an exhaustive list in an upcoming 
release of the Windows Server 2008 Secu¬ 
rity Guide. In the meantime, this article 
and the links to further information give 
you numerous tools to better protect your 
Hyper-V virtualization infrastructure. ^ 
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Exchange 

Server 2010: 

Responding to an exploding 
market, Microsoft significantly 
polishes its messaging system 


by Paul Robichaux 


A New 
Mobile 
Frontier 


M obile devices are here to stay. In fact, it's probably safe to say that they represent the 
area in which unified communications (UC) software and services have the most 
potential to grow and flourish. Modern high-end devices' combination of portability, 
processing power, ubiquitous connectivity, and location awareness open the door 
to some groundbreaking possibilities. Microsoft has steadily improved the mobility 
support in successive Exchange Server versions. 

Exchange Server 2010 continues that pattern, offering strengthened mobile device support and 
platform enhancements. To get a real sense of the value of these changes, let's set them in the broader 
context of what’s happening in the mobile device market—an important perspective because the 
mobile market has changed a great deal since Microsoft designed and delivered Exchange 2007. 



Mobile Device Trends 

The changes in the mobile device arena aren't just driven by increasing numbers of devices 
on the market. The big change is that the devices are getting smarter and more powerful. In 
August 2009, Gartner reported that in the second quarter of 2009 alone more than 40 million 
smartphones were sold worldwide (of 286 million total phones). Extrapolate those 
numbers out for a year or two, and it's not outrageous to imagine 
half a billion smartphones in the world. Hopefully they're not 
plotting to form Skynet! 

Smartphones used to be the exclusive province of 
information workers, but as their price/performance ratio 
has improved they're much more widespread. Every major 
mobile phone vendor has smartphones in its lineup; some, 
such as Apple and Palm, have nothing but smartphones. 

Microsoft is partially responsible for this trend; the emergence of 
Exchange ActiveSync (EAS) as the de facto mobile device sync stan¬ 
dard—and its wide adoption even by Microsoft's fiercest competitors— 
has helped make smartphones much more desirable. 


Some companies 
have nothing but 
smartphones 


Exchange 2010 Mobility Features 

Exchange 2010 boasts a long list of mobility features. However, many of these improve¬ 
ments are upgrades or polishes of existing Exchange 2007 features. Outlook Web App is a 
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new version of Outlook Web Access (OWA), 
and it could be argued that it's a mobility 
tool, but when you look at purpose-built 
mobility features, the story is a bit different. 
For example, EAS is still the device-sync 
protocol that Exchange offers to compat¬ 
ible devices, but the Exchange 2010 ver¬ 
sion of EAS (version 14) adds some key 
functionality. Here's a list of important 
mobility changes and improvements in 
Exchange 2010. 

• Support for Conversation view 
in Windows Mobile's Outlook 
application—This view functions like 
the Conversation views in Outlook 
2010 and Outlook Web App 2010: It 
groups related messages and treats 
them as a single unit, no matter what 
folder they're in. This feature depends 
on metadata added to messages by the 
Exchange 2010 server. It has the biggest 
effect, and is most useful, for messages 
that are delivered after you deploy 
Exchange 2010. Exchange will make 

a game effort to fit existing messages 
into conversations, but without the 
additional metadata it's a hit-or-miss 
proposition much of the time. 

• Synchronization of Short Message 
Service (SMS) text messages between 
a user's Inbox folder and phone—Text 
messages sent or received on the phone 
can be automatically synced to the 
corresponding Sent Items and Inbox 
folders, where they're then available 

to the full range of Exchange features: 
flagging, inclusion in search folders, 
and so on. In addition, you can create 
an SMS message in Outlook or OWA, 
then have it sent from your phone. 

• Free/busy lookup for contacts—This 
feature is made possible by Exchange 
Web Services, which offers a simple 
way for applications to query free/busy 
status or get suggested meeting times. 
It’s a great addition to the mobile client. 

• A shared nickname cache used by 
Outlook 2010, OWA, and the mobile 
device. 

There are some other features in the new 
version of Outlook Mobile that aren't 
related directly to Exchange 2010, such as 
the ability to play voicemail messages inline 
(as you can with Outlook 2007 and later) 
rather than in a separate player application. 
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As a bonus, Exchange 2010 adds the ability 
to record messages in MP3 format so that 
users can play them on a wider variety of 
devices. Perhaps the biggest change from 
a market perspective is the ability to put 
the Exchange 2010 version of Outlook 
Mobile (version 6.5) on Windows Mobile 
6.1 devices. Microsoft originally planned 
to ship it with Windows Mobile 6.5, which 
launched last fall. Given the way Micro¬ 
soft's mobile-operator customers work, 
it's difficult to release Windows Mobile 
updates for existing devices. 

Rather than require an entire Win¬ 
dows Mobile update, the Exchange and 
Windows Mobile teams collaborated to 
produce an update system that's built into 
Exchange. When you enable an Exchange 
2010 mailbox for mobile device support, it's 
now possible for the user to get an update 
message. The update message contains a 
link to a small bootstrapping program that 
the user downloads over the air from his or 
her Exchange 2010 server. That bootstrap 
program then connects to Microsoft's serv¬ 
ers to get the appropriate build of Outlook 
Mobile 6.5 (for example) for the user's 
Windows Mobile version and device CPU. 
This is a clever idea, enabling the Exchange 
team to deliver some pretty compelling new 
features without requiring users to get rid 
of their Windows Mobile 6.0 and 6.1 
devices. 

Changes from Exchange 2007 

Apart from the new Exchange 2010 fea¬ 
tures, there are also a number of changes 
to existing features. Let's start with a dis¬ 
cussion of what hasn't changed (or at least 

Palm has steadily 
improved the sync 
behavior of the 
Palm Pre. 

hasn't changed much). The EAS policies 
supported in Exchange 2007 SP1 and later 
are essentially unchanged. There are a 
couple of terrific changes, though—nota¬ 
bly, the ability to allow or block specific 
applications through the new Other tab on 
the Policy Properties dialog box and a very 
nice (though largely unnoticed) ability to 


generate a variety of useful reports about 
EAS devices. You can use the Export- 
ActiveSyncLog cmdlet to generate reports 
based on the contents of the IIS log files. 
(Remember, EAS is essentially an IIS 
application.) These reports include the 
following: 

• A general usage report that includes 
the total number of bytes sent and 
received, as well as a count of item 
types (email messages, calendar items, 
contacts, tasks) sent and received. 

These reports are produced as CSV files 
for easy import into Microsoft Excel or 
other analysis tools. 

• A report showing the number of sync 
requests processed per hour, as well 
as the total number of unique devices 
requesting sync. 

• A summary of sync errors, showing the 
percentage of time each error or status 
code occurred. 

• A report showing the number of 
devices that comply with a given EAS 
policy. This report shows devices that 
don't comply at all (usually because 
they don't support policies or because 
the user rejected it), devices that 
comply with some but not all aspects 
of the policy, and devices that comply 
with all settings in the policy. 
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• A report totaling the number of users, 
grouped by mobile device OS. If you 
want to know how many iPhone users 
you have in your organization, you'll 
love this tool. 

Microsoft also added Exchange Manage¬ 
ment Shell cmdlets that let you allow, 
block, or quarantine devices. This func¬ 
tionality works in a couple different ways. 
First, by using the ActiveSyncAllowedDevi- 
celDs parameter with the Set-CASMailbox 
cmdlet, you can specify the GUIDs of 
individual devices that a specified user can 
use (presuming you know the GUID values, 
which you have to look up on a per-mailbox 
basis). 

You can also use the *-ActiveSyncDe- 
viceAccessRule cmdlets to manage EAS 
access rules. These rules can allow, block, 
or quarantine devices based on the device 
OS revision, the User-Agent HTTP header 
that the device presents, or the model or 
type. So, for example, you can easily block 
any iPhone from synchronizing, and you 
can allow all Windows Mobile 6.1 devices 
to connect but require administrator per¬ 
mission to sync any older or newer Win¬ 
dows Mobile devices. 

What Third Parties Are Doing 

One of the reasons Exchange has been 
such a success in the marketplace is that 
its product team made a sound decision 
to license EAS as widely as possible. This 



tactic has greatly spurred adoption of EAS 
as a mobile sync protocol, which—not 
coincidentally—has driven demand for 
Exchange deployments. 

It’s important to remember that there 
are two sides to Exchange's mobility sup¬ 
port: the server and the client. Just because 
Exchange 2010 implements a feature or 
option, there's no guarantee that a particu¬ 
lar EAS-capable device will implement it 
as well. The iPhone is a great example: You 
can set up an EAS policy that blocks the 
use of the onboard camera or Bluetooth 
hardware for devices that sync with your 
server, but, as the iPhone ignores these 
policy settings, you won't get the desired 
results—through no fault of your own (or 
Microsoft's). 

Here's a quick look at what some of the 
major EAS licensees are doing, or have done, 
about Exchange 2010 mobility support: 

• Palm has steadily improved the sync 
behavior of the Palm Pre and its smaller 
sibling, the Palm Pixi. These devices 
don’t implement the full suite of EAS 
features, though. 

• Google's Android OS has spread and 
is now featured on several devices, 
notably the Motorola Droid on Verizon. 
The Droid is one of the only Android 
devices to feature built-in EAS support. 
Android is still a weak presence outside 
the US market, although Google 
undoubtedly plans to spread it far and 
wide. 

RIM is planning a 
version of BlackBerry 
Enterprise Server 
that fully supports 
Exchange 2010. 

• Apple is famously tight-lipped about 
future products. The company hasn't 
said whether it plans to do anything 
in future iPhone software releases to 
improve its lackluster Exchange support, 
especially the poor functionality and 
compatibility of the included calendar 
application and the lack of ability to 
delete and move messages while offline. 
If the summer 2009 Snow Leopard Mac 
OS X release is any guide, don't expect 


huge improvements. It would be great 
if Apple would at least properly support 
the EAS "smart reply" and "smart 
forward" verbs so that message replies 
or forwards retain the original message 
formatting. 

Of course, the 800-pound gorilla in the 
mobile device world is still Research in 
Motion (RIM). Sadly, as of the time of this 
writing, RIM isn't yet shipping a version 
of the BlackBerry Enterprise Server (BES) 
that fully supports Exchange 2010. The 
company has, however, announced plans 
to do so. It'll be interesting to see whether 
the BES product's history of causing a large 
performance impact on Exchange con¬ 
tinues in this newest revision; Exchange 
itself has changed the way it handles MAPI 
traffic (on which BES depends) so that 
MAPI is now handled by the Client Access 
Server (CAS) role instead of solely by the 
mailbox server. For that reason, it may be 
that Exchange 2010 mailbox servers will 
suffer less from the impact of BES users— 
but only time will tell, and only at the cost 
of redirecting that load to the CAS instead. 
Interestingly, a few companies (including 
AstraSync) now sell EAS clients that run 
directly on BlackBerry devices, obviating 
the need for BES servers altogether. 

Exciting Time 

Now is an exciting time to be working in 
the mobility space. Handset manufactur¬ 
ers, OS vendors, and collaboration soft¬ 
ware vendors are all furiously trying to kill 
each other off! You have only to look at the 
sales trend numbers for the iPhone, RIM 
devices, Windows Mobile units, Android 
devices, and Symbian devices to see that 
we're rapidly heading toward a world in 
which the norm is to have many different 
devices all speaking a fairly small set of 
common sync protocols—which is great 
news for EAS! ^ 
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T he task of provisioning new user accounts invariably falls upon system administrators. 

Administrators create logons across a variety of systems, such as Active Directory (AD), 
Microsoft Exchange Server, and SQL Server, when a new employee starts at the company. 
The equally important process of deprovisioning accounts when employees leave for 
greener pastures often highlights the disconnect between the HR and IT departments—a 
systems administrator might hear through the grapevine that Bob in Accounting left the 
company three months ago but still has system access. 

Identity Lifecycle Manager (ILM) 2 empowers end users to perform tasks traditionally undertaken 
by IT, such as resetting passwords and creating or deleting groups and users. It provides a SharePoint- 
based workflow through which users can carry out simple tasks based on management policy rules 
defined in ILM. A record of who did what, and when, is maintained for auditing purposes. 

How Does ILM Work? 

ILM 2 is a complex product consisting of four main components: ILM Synchronization Service (previ¬ 
ously called Microsoft Identity and Integration Server), which is supported by SQL Server 2008; ILM 
Portal, which is a SharePoint-based web portal for user and administrator access; ILM Client Compo¬ 
nents for Outlook and Windows integration; and ILM Service, a web service that interacts between the 
Synchronization Service and ILM Portal. 

Synchronization Service is central to ILM; its function is to synchronize objects between directory 
services, such as AD and Novell, into a central database called the metaverse. Objects are synchronized 
into ILM's metaverse via connector spaces, and objects can either be synchronized back to the source 
directory service, or to a different directory, once processed by ILM. Lor instance, ILM could be used to 
keep passwords for user objects in sync between AD and Novell directory services, helping to simplify 
the logon process for users. (Having one password to access all systems is convenient, but might not be 
acceptable in high-security environments.) ILM comes with connector spaces for AD, SAP, Novell, Lotus 
Notes, Exchange, SQL Server, and Oracle databases, to name just a few. 

The most important new feature in ILM 2 is the ILM Portal, which provides access to all the prod¬ 
uct's main features, such as self-service identity and group management tools, via a web interface for 
both system administrators and end users. You can provision users and groups using the ILM Portal, 
create workflows, and modify policies. All changes are submitted to the ILM Service, which then passes 
requests to the ILM Synchronization Service, where the metaverse is updated. 

ILM's client components integrate with Microsoft Outlook to provide group management tools, 
including the ability to process offline group membership or approval requests. The ILM client also 
integrates with Windows logon, providing an authentication gateway should users want to reset a forgot¬ 
ten password. Administrators can change employee data using the ILM Portal. This information is then 
passed on by the ILM Service to the Synchronization Service, which updates connected directories. The 
Synchronization Service is responsible for detecting new and changed records, and making the appropri¬ 
ate directory updates. 
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Installing ILM and Client Components 

The system requirements for each of ILM's 
server components are slightly different. To 
install all the components on one server 
requires Windows Server 2008 64-bit (stan¬ 
dard or enterprise edition), SQL Server 
2008 64-bit (standard or enterprise edition), 
Internet Information Services 7 (IIS), .NET 
Framework 3.0 and 3.5 SP1, and Windows 
SharePoint Services 3.0 SP1. The server 
must have at least 2GB of available disk 
space and 2GB of memory. The client-side 
components are supported on Windows XP 
Professional SP3 and Windows Vista Enter¬ 
prise SP1, both 32-bit and 64-bit editions, 
and Outlook 2007. .NET Framework 3.5 SP1 
is also required on clients. 

ILM in Action—Self-Service 
Password Resets 

A prominent new feature of ILM 2 is the 
ability for users to reset forgotten pass¬ 
words at the Windows logon prompt. 
Administrators can configure one or more 
authentication gateways , where users 
answer a series of predefined questions 
before being given the opportunity to reset 
their password or proceed to the next gate¬ 
way. Inserting a smartcard can also be set 
as a condition for passing a gateway. When 
users log on for the first time, they're asked 
to register with the self-service password 
reset system by answering questions set by 
an administrator. 

You can categorize users so that those 
who have access to highly sensitive infor¬ 
mation on the network have to pass more 
authentication gateways before being 
allowed to reset their password. The ability 
to reset passwords at the logon prompt can 
be disabled, and you can enable that ability 
in a web interface. 

Identity Management for Users 

ILM Portal can be customized for different 
categories of users to access features, such 
as managing distribution list (DL) mem¬ 
bership, telephone extensions, or office 
numbers, which Figure 1 illustrates. The 
ability to manage security groups and DLs 
via ILM Portal provides a natural extension 
to the SharePoint system, with which many 
users will already be familiar. 

As well as providing self-service pass¬ 
word reset capabilities, ILM's client compo¬ 
nents integrate into Outlook with a familiar 
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interface for managing DL membership. 
Requesting membership of a DL is done 
using the Groups menu in the top-right 
corner of Outlook. Requests are man¬ 
aged using Outlook forms where users can 
search for groups using standard Outlook 
dialogs. Approvals can also be managed 
by group owners using email, with voting 
style accept/reject buttons, as illustrated in 
Figure 2. 

ILM for Sysadmins—Provisioning 
Users and Groups 

User objects are provisioned to the con¬ 
nected directories using ILM Portal with 
a simple wizard that allows admins to 
set properties such as employee start 
and end date and to whom the employee 


Figure 1:The ILM Home screen 


reports. Users are automatically added 
to the appropriate groups in connected 
directories based on information you enter 
when creating a new user, such as the user's 
department or employee status. Let's look 
at how to provision a security group with 
dynamic membership. First, log on to your 
ILM server as an administrator. 

1. Open the ILM Portal in Internet 
Explorer (http://<servername>/identity 
management, replacing <servername> 
with the name of your ILM server). 

2. Click Security Groups on the naviga¬ 
tion bar, then New on the All Groups page. 

3. Give the group a display name and 
account name on the Basic Info tab. Select 
Calculated in the Selection of Members sec¬ 
tion and click Next. 
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A s businesses grow, the issue of systems 
management for IT grows with them. 
Unfortunately, the need for IT man¬ 
agement in SMBs is rarely addressed, 
because of the expense and expertise required to 
implement software management solutions that 
IT can use to simplify systems management. The 
SMB market (500 to 3,000 desktops), can greatly 
benefit from a comprehensive systems manage¬ 
ment program. But finding a way to implement 
such a program without breaking the budget can 
be daunting. 

The basic problem is a simple one: systems 
management for client computers is something 
that needs to be done. IT must make sure that 
patches and hotfixes are applied, proper versions 
of applications are distributed, software upgrades 
are done, and client systems remain configured 
to the corporate standard. In the vast majority of 
SMBs, these tasks are performed by hand.That is, an 
IT professional is responsible for maintaining each 
client system in the environment. 

This task can be incredibly time consuming 
and resource intensive, especially if the business 
has a significant percentage of remote or casually 
connected users. As a business grows, manually 
visiting each computer to apply updates and to 
make sure that each is configured correctly and 
is being used in accordance with the corporate 
standard rapidly becomes impractical. But IT 
personnel in SMBs are already swamped with work, 
so it isn't easy to add another role to their already 
time-consuming tasks. 

There is also the issue of managing group policies 
in the enterprise. In SMBs, group policies are rarely 
applied, due to the need to maintain them and to 
adjust them as necessary—and the necessary IT 
expertise to do this correctly is not always available. 
Yet group policies and the ability to lock down 
and control the equipment in your business is 
often a crucial part of doing business, especially if 
the business is in an industry that has compliance 
and software regulatory issues that need to be 
addressed. 

Even asset management can become an 
issue because it is difficult to keep track of what 
application licenses are applied to what systems 
and to ensure that licensing restrictions are 
being fulfilled. A task such as making sure that 
licenses aren't being wasted by being applied to 
systems that no longer need them becomes a time 
consuming effort, if done manually. 

The SMB Challenge 

SMBs usually have small IT departments. They get 
by with as small an IT staff as possible because it 
is often difficult to justify the expense of senior IT 
personnel, especially those with a focus on client 
management. Servers and applications usually 
draw the lion's share of budget and attention. 


Client systems management is often ignored as an 
explicit IT role in SMBs and is instead dealt with on 
a case-by-case basis. This is never a cost-effective 
solution to the problem, and it certainly doesn't 
scale with business growth or allow a flexible client 
computing infrastructure. 

So why doesn't the SMB-sized business simply 
invest in a client systems management platform? 
The usual answer is twofold: First, is cost; the 
upfront expense of investing in the right software 
package for client management, plus the client 
licensing fees, can be a daunting number to tight 
IT budgets seen in SMBs. Second is time and 
expertise. Learning how to implement and deploy 
a complex desktop management solution requires 
dedicating IT resources, which may simply not 
be available, to the task. And this needs to be 
done before any benefits can be realized from the 
solution. 

This is where an SMB can benefit from managed 
service providers (MSP) that offer software as a 
service (SaaS) solutions. SaaS solutions are also 
available directly to business customers without 
an intervening layer of an MSP. You'll often find the 
two terms used interchangeably, so make sure you 
know who is providing your services, because SaaS 
vendors often make their services available through 
existing MSPs. 

For those unfamiliar with the concept, an MSP is 
an entity that offers a particular set of services or 
applications to a client, delivered via the Internet to 
the clients'existing computing infrastructure. The 
offering is an end-to-end solution for a particular 
problem or set of problems. 

The Basics of SaaS 

The basics of the cloud computing service 
delivery are simple. As shown in Figure 1, a secure 
connection to the Internet uses the network 
cloud to link to a secure connection to the service 
provider. In the case of managing SaaS, you'll note 
that the diagram shows that the IT management 
can connect to the service from anywhere a secure 
Internet connection can be made, in order to 
monitor and control the SaaS offering. 

In the case of SaaS, the provider is delivering the 
capabilities of a specific application; for example, 
client management. Even people that are aware 
of MSP offerings may not be considering the SaaS 
offerings. Common MSP offerings such as backup, 
storage, and email are complimented by the more 
complex tasks that can also be offered in this 
fashion, such as: 

► Software deployment 

► Asset management 

► Help desk services 

These are what people first think of as something 
that can be implemented in a cloud environment. 
These basic tasks work well as offloaded processes; 
setting up storage offsite or remote email servers 



fit well with the way people do business and are 
clear benefits to many organizations. The concept 
of cloud-based management is a more difficult one 
for many IT people to grasp, yet is possesses many 
of the same benefits as any other MSP offering and 
even more significant advantages. Advantages 
include: 

► Reduced startup costs - With the SaaS 
approach you aren't paying for the entire 
management infrastructure up front. You 
spend money only on the services you need 
and are able to expand the services and client 
support as necessary 

► More effective utilization of existing resources 
- While IT needs to be trained to use the new 
management service, there isn't a requirement 
to build management servers and invest time 
and effort into the infrastructure to deliver the 
management service; it's already there in the 
form of your network and connection to the 
cloud. It also allows IT to focus on the task at 
hand (in this case, client management), rather 
than focusing on getting to the point where 
actual client management can be done. 

► Faster startup - With an SaaS offering, the 
time from the decision to implement to 
actually deploying the solution is significantly 
reduced, especially in comparison to the 
time it would take to start from scratch to 


deploying a complete, in-house, management 
infrastructure. 

► Improved flexibility - If business conditions 
change, the SaaS can grow with the business 
and does not require investing in different 
solutions or rearchitecting an existing solution 
to meet the needs of a growing organization. 
SaaS services can often be as easily deployed 
to and managed on remote systems as those in 
the main office. 

► Improved security and reliability-Your provider 
will deliver a level of service that has been 
contracted for; it is their responsibility, as 
contracted, to assure that the service is available 
whenever the client needs it. This means that 
they are responsible for all the redundancy and 
disaster recovery services, to keep their managed 
service available, that the client would otherwise 
have to provide for an in-house service. 

It is important to note that implementing an 
SaaS management solution isn't just a win for IT, it 
is also a win for the business overall. For example, 
when a business plans for growth, the issues of 
providing for the IT needs of a larger organization 
are considerable. By using an SaaS solution, a 
business is able to buy the services it needs, when it 
needs them, and not have to invest in an oversized 
solution in the hopes that it will meet the needs of 
the business as it grows. 


Figure 1: An example SaaS delivery platform 







Business flexibility is also improved in other ways. 

As IT focuses on providing services to the internal 
end user and allows SaaS offerings to take some of 
the load off of internal IT, those IT resources become 
available for other projects. Thus, a business is no 
longer limited by what the available IT resources can 
immediately deliver. Additional business services 
can be implemented without growing the internal IT 
staff.This means that a business can make necessary 
changes more quickly and without as much concern 
over the ability of IT to continue to deliver appropriate 
services. 

Keeping all of this in mind, let's look at what client 
management, delivered as SaaS, can bring to your 
enterprise: 

► Asset management 

■ Asset management is an ongoing process 
in most IT environments. While it started off 
as simply keeping track of the hardware in 
inventory, it has grown to include license 
management as deployed in the enterprise. 

■ With a cloud-based asset management 
system, there is no problem in connecting 
remoter offices or even individual remote 
users. Once the management client is installed 
on the user's computer, be it a remote office 
or a traveling notebook, any connection to 
the Internet allows it to become part of the 
managed client infrastructure of the business. 

■ This also allows addressing licensing issues 
with casually connected users; even if these 
users are mobile and on laptops, their license 
information is maintained as part of the 
management information. 

► Software deployment 

■ Assuring that the proper software, upgrades, 
and updates are properly deployed to all 
client systems can be very time consuming, 
especially if there are remote users or offices. 

■ This is a major advantage of the cloud model. 
With a good SaaS provider, software to be 
deployed can be stored not only locally 
within the corporate network, but also on the 
provider's servers. This means that any client 
that has Internet access can get the proper 
software downloaded and installed. 

■ With the ability to deploy software to clients 
outside the corporate network from the 
provider's servers, which are also outside 
the corporate network, the potential of 
introducing a security liability due to the need 
to allow this sort of network access to casually 
connected users is reduced. 

■ The same deployment model can be used 
for all clients, with each client being directed 
to the appropriate software site (internal or 
external) based upon other information stored 
about the client, such as group memberships. 

■ By utilizing Active Directory and standard 
Microsoft policy techniques, deployment is 


done in a secure and effective manner with the 
SaaS solution. 

► Privilege management 

« Desktop control often results in little more 
than a strict lockdown policy, especially for 
remote and mobile users, in order to limit 
company exposure to improper activities or 
potential security holes. 

■ A flexible lockdown procedure, where clients 
can have a variety of different services 
available to the console user based on 
different sets of conditions, can make the user 
environment more friendly and flexible. 

• Applications can be made location aware; 
that is, some applications may be available 
while a user is mobile, but not allowed if the 
user is connected to the corporate network. 

• Applications can be time dependent; for 
example, made available only during or 
only after normal business hours. 

• Guidelines for these use policies can based 
on any number of features, from AD objects 
to simply time of day and location 

• Rights can be elevated for specific desktop 
applications or capabilities without 
elevating the basic user privilege, allowing 
applications that require a higher privilege 
level to run while the user still has the 
lowest privilege mode compatible with 
their work. 

► Remote management 

■ Because the management servers are cloud 
connected, the system can be managed, 
administered, and reported on from any 
console with an Internet connection and a 
web browser. 

■ This means that there is no need for 
a dedicated management console or 
administrative application to be installed 
allowing any console to be used for 
management, locally, or remotely. 

The Business Benefits 

Utilizing the concepts of SaaS and the cloud can 
significantly benefit your business. While not every 
application is best delivered as a service in every 
environment, the SMB user is well served by 
management applications that can be delivered 
in this fashion. Applications that are otherwise 
cost prohibitive to be implemented completely 
and properly, such as client management, make 
excellent choices for implementation using the 
SaaS model. 

The cloud delivery model is also uniquely suited 
for upgrading existing legacy infrastructures, 
especially to allow for better support and 
integration of mobile users. It allows the latest 
technology to be deployed in those environments 
without making any significant changes to the 
existing infrastructure, making mobile users more 



easily supported and a more practical growth path 
for a legacy IT structure to support. 

This entire process of client management 
lessens one of the biggest challenges that IT 
has in environments with mobile and remote 
users: keeping those users integrated with 
corporate network policies and procedures. The 
traditional process of linking these clients back 
into the corporate network has incorporated 
expensive hardware and software solutions that 
not only added to the management and support 
responsibilities of IT, but also had the potential 
to introduce many new and difficult to diagnose, 
potential security problems into the network via the 
new external data access methods. 

By choosing an SaaS solution to help with your client 
management issues, you increase the effectiveness 
of your existing IT department, add significant 


management capability to your infrastructure, and 
create a more flexible and effective IT department. 
The SaaS systems management model is also a great 
solution for enterprises who find it challenging to 
support their mobile workforce. 
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4. Click Object ID on the Members tab 
and select Department from the menu. 

5. Click to select a value and enter a 
department name, such as finance, as 
shown in Figure 3. Click Next to continue. 

6. Leave the Expiration Time box blank 
and click Next. 

7. Leave the group owner set to admin¬ 
istrator and click Next. 

8. Review the details on the Summary 
tab and click Submit to complete the 
process. 

Groups can also have static membership, 
where join requests are managed and 
approved through the ILM Portal. Depro¬ 
visioning is also carried out using the 
portal, and workflows can be created to 
deprovision user objects across multiple 
directories with a single click. 


Figure 3: Provisioning users based on department 


Figure 4:The _Security Group Administrators set 


Understanding ILM Portal 
Components 

Before exploiting the true power of ILM, you 
need a basic understanding of ILM Portal 
components and concepts. Sets are collec¬ 
tions of objects that have been synchro¬ 
nized from a connected directory and can be 
dynamically created based on attribute infor¬ 
mation stored on objects in the metaverse. 
Figure 4 shows a set called _Security Group 
Administrators that contains people whose 
department attribute is defined as Support. 

Sets can also group together ILM Portal 
UI elements dynamically, based on key¬ 
words. In Figure 5, you can see a set called 
All Basic Home Page Configurations for UI 
objects where the keyword is defined as 
BasicUI. 

Workflows are defined to either pro¬ 
vide authentication capabilities (such as 


authentication gateways, authorization by 
verifying group membership, or requiring 
approval) or an action such as providing 
email notifications or password resets. Wiz¬ 
ards allow you to create basic workflows in 
ILM Portal, a process known as codeless 
provisioning. 

Management Policies are used to trigger 
workflows and control permissions on who 
can do and see what in the ILM Portal. For 
example, if a user attempts to create a new 
user through the ILM Portal, a management 
policy would trigger the appropriate work- 
flow. A management policy might grant a set 
called Administrators read permissions to 
another set called All Objects. 

Creating a Workflow to Provision 
a New User Object 

You can use ILM's codeless provisioning 
system to create basic workflows for man¬ 
aging identities in connected directories. In 
this walkthrough, Ill create a workflow that 
allows users with appropriate permissions 
in the ILM Portal to provision a user object. 
Because the ILM Portal comes preloaded 
with the necessary workflows and policies 
to provision users to AD, the following 
steps are intended for gaining a better 
understanding of how ILM works and how 
you might provision a user object to a non- 
Windows directory service. First, log on to 
your ILM server as an administrator. 

1. Open the ILM Portal in Internet 
Explorer (http://<servername>/identity 
management, replacing <servername> 
with the name of your ILM server). 

2. Click Workflows under Management 
Policies on the left navigation bar. 

3. Click New on the All Workflows page. 

4. On the Basic Information tab, call 
the workflow Create User; under Workflow 
Action, select Action, then click Next. 

5. Choose Password Reset Activity and 
click Select. 

6. Accept the default settings for the 
random password by clicking Save. 

7. Under Password Reset Activity, click 
Add Activity. 

8. Choose Synchronization Rule Activity 
from the Activity Picker, and click Select. 

9. Select _AD Inbound Sync Rule for 
Users, leaving Action Selection set as Add, 
and click Save. 

10. Under Add the target resource to 
Synchronization Rule, click Add Activity. 
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j|j All Basic Home Page Configurations 
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Figure 6: The Create Workflow page 


Figure 5:The All Basic Flome Page Configurations set 


Choose Notification from the Activity 
Picker and click Select. 

11. In the Recipients box, type administra¬ 
tor. Click the Browse icon to the right of the 
Email Template box and select an appropriate 
template from the list. Click Save to continue. 

12. Now that you've finished defining 
activities for this workflow, click Next at the 
bottom of the Create Workflow page, which 
should resemble Figure 6. 

13. On the Summary tab, click Submit to 
finalize the workflow. 

Once the workflow has been created, 
you should define a management policy to 
trigger the workflow: 

1. Click Management Policies in the 
navigation bar on ILM's home page. 
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2. Click New on the Management Poli¬ 
cies page. 

3. Give the policy a name on the Gen¬ 
eral Information tab and click Next. 

4. Type Administrators in the Specific Set 
of Requestors box and click the Check Names 
icon to the right. Select Administrators from 
the drop-down menu to confirm your choice, 
and the text should be underlined. 

5. Select Create resource in the Opera¬ 
tion section and click Next. 

6. In the Specific Set of Objects box, type 
All People and click the Check Names icon 
to the right. Click Next to continue. 

7. Scroll down to Action on the Policy 
Workflows tab and check Create User. You 
might need to scroll through several pages 
to find the correct policy. The Create User 


workflow should appear under Selected 
Objects. Click Next to continue. 

8. Check the details on the Summary 
tab and click Submit. 

Now that a management policy and work- 
flow have been created, when new user 
objects are created using ILM Portal, they 
should be provisioned in the metaverse and 
synchronized to the specified directory. 

Do the Benefits of ILM Outweigh 
the Complexity? 

ILM 2 improves on ILM 2007 with its inte¬ 
grated web portal and self-service pass¬ 
word reset integration with Windows logon. 
Although the codeless provisioning system 
provided by the portal is a welcome addition, 
it doesn't offer enough functionality to create 
workflows for Exchange or SQL Server—two 
mainstays of most Windows shops—render¬ 
ing it a little academic. It's not even possible to 
modify the built-in workflow for provisioning 
AD user objects because of the lack of sup¬ 
port for Exchange in the codeless provision¬ 
ing system. This all leads to the fact that to do 
anything mildly useful with ILM 2, you'll still 
have to write VB.NET or C#.NET code, as was 
required in previous versions of ILM. 

Another product, the Identity and Inte¬ 
gration Feature Pack (IIFP), is a free down¬ 
load from Microsoft and provides a subset of 
Microsoft Identity Integration Server (MIIS) 
functionality specifically for synchroniz¬ 
ing objects between AD forests to facilitate 
Exchange migrations. If that's all you need, it 
can be a much simpler alternative to ILM. 

Although the basic workflows ILM pro¬ 
vides out of the box are likely to be useful, 
to employ ILM in your organization and 
achieve an acceptable return on invest¬ 
ment, you'll need people who have a deep 
understanding of the connected directories 
and ILM server components. Furthermore, 
ILM adds a level of complexity to your envi¬ 
ronment that might outweigh the benefits if 
you don't have the right staff on hand and 
complex problems to solve. ^ 

InstantDoc ID 103399 


Russell Smith 

(rms45@rsitc.com) is an 
independent IT consultant. 
He has been working in IT 
since 2000, specializing in 
systems management and 
security. 



We're in IT with You 


www.windowsitpro.com 


































I men inci uic giuvvui ui me mien ice. wi me ,^ju auuicoaca avaiiauic in ±jt v^t o o^-un 

address space, we've consumed 90 percent, leaving less than 425 million addresses remaining. 
That's not a lot, and the rate of consumption is increasing, making it difficult to pin down the 
actual date the last address will be used. 

Alas, trouble will start long before that day arrives, owing to the economics of scarcity 
and demand. As a resource becomes less plentiful, its price increases, something that has already 
occurred with IP addresses in North America. Unless an alternative resource—IPv6 addresses in 
this case—becomes available, the cost of getting an IPv4 address could skyrocket. 

Fortunately, the IPv6 Internet is alive and well, and waiting for your arrival. We all had a golden 
opportunity to push an IPv6 migration more than a year ago, before the current economic crash, but 
few availed themselves of that opportunity. Now, with funds tight and jobs precarious, we're faced 
with making the IPv6 move on shoestring budgets. Consider this article your shoestring to IPv6. By 
spending very little money and a modicum of your own time, you can set up an IPv6 lab that will help 
position you for an IPv6 transition when it becomes unavoidable. 

With an IPv6 lab at your disposal, you'll gain experience with IPv6 addressing, network trouble¬ 
shooting, and deployment methods. You'll also have a test bed for validating IPv6 compatibility for 
current and future applications, hardware, and services. Most importantly, you'll augment your mar¬ 
ketable skill set in a way that will make you much more valuable to your employer, current or future. 


your own 
IPv6 lab and 
start preparing 
for the big move 
now 


by Mel Beckman 


The Big Picture 

In "The Inevitability of IPv6," Parts 1 and 2 (October 2007, InstantDoc ID 96880 and December 2007, 
InstantDoc ID 97365), John Howie explained IPv6 addressing, features, and operation under various 
versions of Windows. If you're not conversant in IPv6 addressing concepts and terminology, you should 
review those articles before starting this project. If you intend to use Windows 7 on your network, see the 
sidebar "Windows 7 and IPv6 Privacy." 

In addition to that technical background, an essential thing to know is that the IPv6 Internet is open 
for business, populated by the likes of Google, Apple, and Microsoft, and growing at a steady pace. You 
can get connected to that Internet by a variety of methods: a direct connection from your ISP, a desktop- 
only connection using VPN tunneling, or a LAN connection via an IPv6 ISP offering tunnel-brokering 
services. The most useful approach for a lab is the last method, because you get a large IPv6 address 
space that you can use for actual deployment when you're ready and that you can readily break into 
subnets for experimental purposes. 
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Figure 1: IPv6 lab network 


Figure 1 illustrates how your lab con¬ 
nects to an IPv6 tunnel broker. The tunnel 
broker operates one or more IPv6 tunnel 
servers at locations around the world. You 
choose a broker with a server reasonably 
close to you and sign up for service, which 
typically costs nothing—these tunnel bro¬ 
kers hope to win your business when you 
move your entire organization to IPv6. 
You then set up an IPv6 tunneling router 
behind your enterprise firewall, which 
establishes an IP protocol 47, or Generic 
Routing Encapsulation (GRE), IPv6-over- 
IPv4 tunnel connection to the tunnel bro¬ 
ker and delivers IPv6 connectivity to your 
IPv6 laboratory network. Protocol 47 is 
often used for VPN tunnels, but in this 
specific case, the tunnel isn't encrypted. It's 
just being used to transport IPv6 packets to 
your test network. 

A point you should have picked up in 
your IPv6 prerequisite reading, but worth 
reiterating here, is that all IPv6 networks 
are actually a combination of both IPv4 
and IPv6 protocols, a configuration termed 
dual stack. A dual-stack network is neces¬ 
sary because the opportunity to make a 
clean cutover to IPv6 passed us by years 
ago. The only transition path left available 
is for every device to be on both IPv4 and 
IPv6 networks for the several years it will 
take to move totally to IPv6. Although more 


complex than the clean-cut approach, dual 
stack operation has the advantage of letting 
you gradually introduce IPv6 into produc¬ 
tion networks. 

It's important to recognize that you'll be 
routing public IPv6 addresses behind your 
corporate firewall, so you should make 
sure that your IPv6 lab network remains 
completely isolated for security purposes. 
The example router configuration provided 
in the online version of this article includes 
a sample security policy that blocks all 
inbound traffic except HTTP (TCP port 
80). You can modify that policy to suit your 
experimental requirements. 

To make your IPv6 lab operational, 
you'll have to complete three tasks: 

1. Sign up with an IPv6 tunnel broker 
and get an IPv6 IP address allocation. 

2. Acquire and configure an IPv6 
router to use the tunnel. 

3. Activate and test the IPv6 connection. 


Signing Up for Service 

You have several choices for IPv6 tunnel bro¬ 
kering service. It's possible that your current 
ISP offers this service, and if so, that may be 
your best bet, because you'll get a connection 
that performs well and that you can easily 
transition to production use in the future. 
Alas, only a few ISPs have this option avail¬ 
able. Fortunately, tunnel brokers are willing to 
give the service away to new IPv6 adopters like 
you, so you won’t incur expenses for this part 
of your test lab. Table 1 is partial a list of these 
providers and their contact information. 

To sign up for service, give the tunnel 
broker your contact information and you'll 
receive an account user ID and password. 
You can then log on to that account to create 
an IPv6 tunnel and get an IPv6 IP address 
allocation. In North America, the most pro¬ 
lific tunnel broker is Hurricane Electric (HE. 
net). Using their process as an example will 
guide you to requesting connectivity from 
any IPv6 tunnel broker. 

Once you've logged on to your newly 
created account, you'll be given the option 
to create a tunnel. All you need to provide is 
a static public IP address on your end. This 
can be a public IP address associated with 
your current firewall or a separate, static IP 
address that you assign directly to the IPv6 
router at your end—I’ll explain that option in 
more detail later. You can change this address 
in the future, so don't worry too much about 
choosing exactly the right address. 

After entering your public IP address 
and clicking Submit, your tunnel will be 
created and you'll get a Tunnel Details page 
listing IPv4 and IPv6 addresses that define 
your tunnel. The important values to note 
from this are the following (you'll need 
these to configure your IPv6 router): 

• Server IPv4 address 

• Server IPv6 address 

• Client IPv4 address 

• Client IPv6 address 

• IPv6 name server 


Table 1: IPv6Tunnel Broker Services 

Provider 

Coverage 

Site 

AARNet 

Australia 

lbroker.aarnet.net.au I 


JANET 

Nerim 

SixXS 


Freenet6 

Canada, Netherlands, Indonesia 

gogonet.gogo6.com 


Hurricane Electric 

US, Canada, Europe, Asia 

tunnelbroker.net 



UK 

France 

US, Europe, New Zealand 


www.broker.ipv6.ac.uk 


admin.nerim.net/nav/ipv6/ 
sixxs.net 
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Account Menu 


Click For Main Page 

Update Info 

Logout 


User Functions 


Combine Tunnels 
Create Regular Tunnel 
Create BGP Tunnel 
IPv6 Portscan 



HURRICANE ELECTRIC 

INTERNET SERVICES 


Tunnel Details j 

Account: jetnet 


( Delete Tunnel ; 

□ Global Tunnel ID: 41954 


Local Tunnel ID: 742 

10 Description: 



□ Server IPv4 address: 


216.218.224.42 

13 Server IPv6 address: 


2001:470:1f0e:2e6::1/64 

13 Client IPv4 address: 


206.83.0.42 

13 Client IPv6 address: 


2001:470:1f0e:2e6::2/64 

□ Anycasted IPv6 Caching Nameserver 

2001:470:20::2 

Anycasted IPv4 Caching Nameserver 

74.82.42.42 

13 Routed /48: 


2001:470:b817:748 

13 Routed/64: 


2001:470:1 fOf :2e6:764 

13 RDNS Delegation NS1: 


none 

RDNS Delegation NS2: 


none 

RDNS Delegation NS3: 


none 

13 ASN: 


none 

13 Registration Date: 


Sun, Nov 8, 2009 

Example OS Configurations (Windows, Linux, etc.): 


| Cisco IOS T) 

Show Conflg 



Figure 2: Tunnel details with /48 allocation 


With most tunnel brokers, youTl also auto¬ 
matically receive an initial IPv6 allocation. 
In this example, HE.net automatically allo¬ 
cates a 64-bit, or /64, IP subnet to you. That 
may seem like a large block, with twice as 
many bits as the total IPv4 address space of 
32 bits, but it's actually small in IPv6 land. 
Even though it contains four billion times 
the number of IP addresses in the entire 
IPv4 Internet, a /64 is considered to be the 
size you'd allocate to a single LAN subnet. 
IPv6 is big. Really big. 

It turns out that you don't want to use this 
initial /64 allocation, which is intended for 
very limited experimentation. What you want 
is a /48 subnet, which uses 48 bits for the 
network part of the address but gives you 80 
address bits (128 minus 48) for devices. Now 
we're talking serious space. If you can follow 
the binary math here, given a 64-bit address 
space for each subnet, the 80 device address 
bits of a /48 allocation lets you have 32,768 
/64 subnets. With this much space, you can 
readily slice and dice your IPv6 address space 
for whatever purposes you need. 

YouTl notice that the server and cli¬ 
ent IPv6 addresses are in the same /64 
subnet (2001:470:lf0e:2e6::/64 in my 
case), with the server being at ::1 and 
the client (your router) at ::2. No other 
IP addresses are used in this entire /64 
subnet. That's right, you're just going to 
waste billions and billions of addresses on 
a single point-to-point link! This is standard 
practice in IPv6 land, and not a problem at 
all, given IPv6's vast capacity. 


To get a /48 allocation for yourself, just 
click on the Allocate link in the "Routed /48" 
section of the Tunnel Details page. You'll get 
the same page back, updated with your fresh 
/48 allocation (2001:470:b817::/48, shown in 
Figure 2). You're now ready for the first step 
that requires actual effort: getting and config¬ 
uring an IPv6 router. 

Note that the IPv6 network address 
of the experimental LAN, in my case 
2001:470:b817:l::/64, is actually just a sub¬ 
net of the 2001:470:b817::/48 allocation. 


The fourth byte-pair of the address, :1:, 
represents the subnet number (0001 in 
this case), lengthening the /80 address 
to a full /64. Technically, you could use a 
subnet number starting at :0:, but I prefer 
to reserve subnet zero for utility purposes, 
such as network monitoring and infra¬ 
structure management. 

The IPv6 Router 

Although IPv6 may be new to you, it's not 
new to manufacturers of networking gear, 


Windows 7 and IPv6 Privacy 

O ne of the unusual features of IPv6 in later Windows versions—Windows 7, Windows Server 2008, and Windows Vista—is the default 
use of random interface identifiers when creating an interface's IPv6 address. Under IPv6's standard Neighbor Discovery Protocol, 
an unconfigured device uses IPv6 autoconfiguration with the MAC address to form a 128-bit host address.The lETF's RFC 2373, "IP Version 
6 Addressing Architecture," Appendix A, discusses the algorithm for deriving an EUI-64 based interface identifier from a MAC address. 
RFC 2464,"Transmission of IPv6 Packets over Ethernet Networks,"Section 4, explains how stateless address autoconfiguration employs a 
device's MAC address. After these standards appeared, security experts expressed privacy concerns about using hardware MAC addresses 
as interface identifiers. Unlike NAT, which hides private addresses from Internet-based serves, a stock IPv6 address could be used to track 
individual users'activities over time. So the IETF issued RFC 4941, "Privacy Extensions for Stateless Address Autoconfiguration in IPv6," 
which defines a random interface address that changes over time, preserving the anonymity of individual devices on the Internet. 

Windows 7 uses this randomizing technique by default, rather than the EUI-64 technique.This is a good thing for user privacy, but can compli¬ 
cate network troubleshooting and internal user activity tracking, because a device's IPv6 address can change with each new Internet connection. 
Fortunately, you can disable this behavior when necessary—at the cost of device anonymity, of course—using the command 

netsh interface ipv6 set global randomizeidentifiers=disabled 
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who have collectively supported IPv6 for the 
past ten years or so. Devices from popular 
manufacturers are plentiful on the used 
market. 

The specific router used here, the Cisco 
1841 modular router, isn't the cheapest 
device out there (about $500 on eBay), but 
it has the best combination of software 
and hardware features for a lab device. A 
cheaper, but less capable, alternative is the 
Cisco 2621 (about $100), but this model 
lacks some IPv6 features, such as DHCPv6, 
which you might want to employ. Both 
routers have two Ethernet ports and modu¬ 
lar slots for add-in cards, which you won't 
be using for your lab setup. The version of 
Cisco IOS software tested for this article 
is 12.4.24T1, which you should be able 
to obtain from any Cisco dealer, if it isn't 
already installed on the router. 

Once you have the router, you need to 
configure it. Visit the online version of this 
article (www.windowsitpro.com, Instant- 
Doc ID 103361) to download a skeleton 
configuration you can modify to create a 
working configuration for your router; text 
in bold identifies the sections you'll change 
by plugging in the values previously col¬ 
lected from your tunnel IP address values. 
You'll also need to plug in your domain 
name for DHCPv6 to function correctly. 

To enter your configuration into the 
router, connect the serial port of the 
router to a computer serial port (or USB 
serial adapter) and launch a serial access 
program such as Windows HyperTerm 
(supplied with Windows) or PuTTY (a 
free download from chiark.greenend.org 
.uk). If you're not familiar with configuring 
Cisco routers, a quick tutorial is online at 
cisco.com/warp/cpropub/45/tutorial.htm. 

A configuration housekeeping detail 
to note is that the settings in your router 
shouldn't be the public settings. Instead, 
they should be a private, static IP address, 
mask, and gateway on your firewall- 
protected LAN. This is because your lab 
router is located behind your enterprise 
firewall, on the assumption that this is 
the easiest arrangement for most IT staff. 
However, your firewall must support 
GRE (protocol 47) pass-through and be 
able to route GRE traffic to the specific 
static private LAN IP address of your IPv6 
router. Most enterprise-class routers (such 
as Cisco ASA, Juniper Netscreen, and 
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SonicWall TZ/NSA) have this capability. 
If yours doesn't, you can employ an alter¬ 
native network topology in which you 
connect your IPv6 router directly to a 
public DMZ Ethernet segment between 
your existing firewall and your ISP's inter¬ 
net access device. This usually requires 
installing a small Ethernet switch for this 
purpose, if you don't have one in place 
already. With this arrangement, the Client 
IPv4 address in your Cisco router configu¬ 
ration will be the public value from your 
tunnel details page. 

Activate and Test 

Once you've configured and connected 
your IPv6 router, it's time to take it for 
a test drive. Assuming you've either 
configured your enterprise firewall for GRE 
pass-through or located your IPv6 router 

The IPv6 Internet is 
open for business, 
populated by the 
likes of Google, 

Apple, and Microsoft, 
and growing at a 
steady pace. You 
can get connected 
to that Internet by a 
variety of methods. 

directly on your public IPv4 DMZ, your 
IPv6 tunnel should come online automati¬ 
cally and be ready for use. You can do the 
initial testing directly from the Cisco serial 
port command-line interface or through a 
Telnet session logged on to the router. First, 
check the status of the IPv6 tunnel using 
the following command: 

show interface tunnel 0 

You'll receive output similar to the fol¬ 
lowing: 

Tunnel0 is up, line protocol is up 
Hardware is Tunnel 


Description: Becknet NOC IPv6 tunnel 
MTU 17920 bytes... 

The display of "line protocol is up" indi¬ 
cates that the tunnel has been successfully 
connected. Next, try pinging your tunnel 
broker's server at the other end of the tun¬ 
nel using the Server IPv6 address from the 
router command line. You'll receive output 
similar to this: 

Sending 5, 100-byte ICMP Echos to 
2001:470:lf0e:2e6::1, timeout is 
2 seconds: 

! ! ! ! ! 

Success rate is 100 percent (5/5), 
round-trip min/avg/max = 0/0/4 ms 

Now you're ready to connect a com¬ 
puter to your IPv6 lab network LAN. With 
Windows 7, which is fully IPv6 enabled, 
you should automatically get both IPv6 and 
IPv4 addresses. 

If you successfully obtained an IPv6 
address, try a tracert command from 
within Windows to verify that IPv6 net¬ 
works are reachable. If that works, then 
go ahead and surf the IPv6 Internet! Try 
my site at www.whatismyipv6.com first; 
you should get a response showing the 
IPv6 address you're coming from. Next, 
try visiting various IPv6 destinations, such 
as ipv6.google.com. Now you're live on 
IPv6! 

Down the Road 

Getting your IPv6 lab functional is just 
the beginning. You'll want to start explor¬ 
ing various network tools, such as the 
DNS lookup utility nslookup, the IP path 
tracing tool traceroute, and the venerable 
ping utility, to see how they function with 
IPv6. I'll cover those tools, and more, in a 
future article on living with IPv6. For now, 
the more you explore, the more you'll 
learn! ^ 

InstantDoc ID 103361 


Mel Beckman 

(mel.beckman@penton.com) 
is a senior technical editor for 
System iNEWS and president of 
Beckman Software Engineering, a 
technical consultancy specializing 
in large-scale, high-bandwidth 
networks. 



We're in IT with You 


www.windowsitpro.com 







FEATURE ■ 


Solve Common 

Business 

Problems with 

InfoPath and 


SharePoint 



M icrosoft Office InfoPath 2007 is one of the lesser-known tools in the Microsoft 
Office suite of applications. Compared with Word and Excel, it has a much smaller 
user base and an even smaller number of people who actually know what to do 
with it. In this article I explain what InfoPath can offer, focusing on how to use it 
with Microsoft Office SharePoint Server (MOSS) 2007.1 use a common real-world 
expense report example to illustrate Info Path's benefits. SharePoint's recent popu¬ 
larity makes InfoPath a useful tool that your organization should investigate and evaluate. 

InfoPath Basics 

InfoPath is essentially a tool for designing and creating forms. The application allows nontechnical 
users to build and deliver methods to collect and manage data. Although a common perception is 
that you can accomplish the same tasks with Word or Excel, InfoPath provides greater functionality. In 
addition, you can easily convert Word and Excel files to more robust InfoPath data-collection forms. 

InfoPath is really just a package of associated files. At its heart is an XML file that represents the data 
source for your collected data inside the forms. This flexible format is extremely useful for additional 
applications to read and process the form data. The designer or front-end view is simply XSL, with 
some additional files to manage rules, data connections, and so forth. If you rename your InfoPath 
template with the .XSN extension to a .CAB file, you can extract and view the individual components 
as text files, and you can easily see how they are connected. 

InfoPath has built-in capabilities to connect with Microsoft SQL Server, Access, SharePoint, and Web 
Services to read and write data to a significant number of additional applications and data stores. These 
features make InfoPath an excellent option for building small applications that connect to multiple systems 
at once to select and update data. In addition, InfoPath can then collect and send data in human-readable 
formats via e-mail or to SharePoint. Most of these tasks can be accomplished with no compiled coding. 

Two significant features of standard InfoPath development are the rich rules and validation com¬ 
ponents that users can build without code. The application lets the form designer view and manage 
common interface controls. The underlying data source can be viewed and manipulated with intuitive 
XPath functions abstracted away from the designer. For example, you can have a number of rules on a 
control; these rules check the contents or any other controls, process calculations, or immediately let 
you know which rules passed or failed. Rules can be strung together to cover some fairly sophisticated 
data validation and specific display control management. 

You can save sections of forms as templates for reuse across multiple forms. This approach 
eliminates cutting and pasting and gives organizations the option to build components with specific 
functionality or required schema items to share with form designers. 


Design and 
create data- 
collection forms 

by Ryan Thomas 
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■ INFOPATH AND SHAREPOINT 


SharePoint Integration 

InfoPath connects natively to SharePoint 
in multiple ways. It can read data from 
SharePoint lists quickly and easily, query live 
SharePoint data, and return results to the 
form to process a variety of options for the 
designer or end user. Connection options 
include binding data to drop-down lists for 
selection, obtaining user profile informa¬ 
tion, and querying sources of configuration 
data for rules, validation, and much more. 
InfoPath forms can be stored locally in Share- 
Point document libraries in the same way 
as any other type of document. They can be 
made the default template for a given content 
type, allowing the New command on a list to 
automatically create an instance of these cus¬ 
tom forms to open, fill out, and save locally in 
the library for business processing. 

Forms Services 

Some of the real power in using InfoPath 
with SharePoint lies in the use of InfoPath 
Forms Services, which is an enterprise fea¬ 
ture of SharePoint that dynamically trans¬ 
lates an InfoPath form to a web page via 
specific server technologies. Consider my 
previous example, in which an InfoPath 
form is used as the template for a content 
type. Web-enabling the form lets you build 
and publish forms directly to SharePoint and 
use them to start collecting XML data imme¬ 
diately, without requiring any additional 
client software beyond a web browser. 

Forms Services is context-aware from 
a SharePoint perspective. It knows who is 
logged on, giving you additional flexibility 
in managing permissions and security for 


data access. When querying and using 
SharePoint data, you get the built-in security 
trimming to ensure that only appropriate 
access is given for each form instance. 

Significant options are available for 
designing forms and collecting data. Info¬ 
Path is designed to send chosen fields to 
SharePoint fields as metadata, using out- 
of-the-box functionality with very little user 
effort. This data can then be searched with 
SharePoint's robust indexing and search¬ 
ing components or used to drive workflow, 
business logic, or custom applications that 
already exist within your environment. 

InfoPath is a significant upgrade over 
standard SharePoint data collection with 
built-in lists. Typically with SharePoint lists, 
the designer has limited ability to make 
changes to the out-of-the-box new forms or 
edit forms that are generated on all Share- 
Point lists. These standard forms lack certain 
flexibility, such as the ability to limit access 
to specific fields when editing a Share- 
Point list item, or provide dynamic access to 
controls or additional data sources outside 
of traditional SharePoint lookup columns. 
SharePoint's native storage mechanism of 
list items limits the potential for exporting 
and accessing the list data in the robust way 
an InfoPath XML form can. All of these prob¬ 
lems are quick and easy to address if you 
choose InfoPath as the form to collect data. 
InfoPath is also extremely easy to set up. 

Using InfoPath 

Now that I've given you a basic overview of 
InfoPath, let's look at a common problem 
that organizations are using the application 


to solve. Perhaps this example will spark 
some ideas for improving efficiency or data 
management within your own company. 

A common use for InfoPath is convert¬ 
ing Excel or paper-based expense report 
forms to consolidate them into a digital 
environment. InfoPath's design surface is 
well-suited to manage the repetitive nature 
of this data and upload it to a SharePoint 
list where it can be calculated, categorized, 
and sent to managers and accounting for 
approval using either an out-of-the-box or 
a custom-built workflow. 

I'll walk through the process at a high 
level to explain what pieces need to be built 
and how they are assembled. Our expense 
projects seem to break down roughly into 
the following steps: 

• converting existing forms to InfoPath 

• approval 

• connecting to external applications 

I'll include some extra components that 
aren't required, to give you an idea of how 
to easily extend the project with additional 
functionality. 

Convert existing forms to InfoPath. 

Existing paper-based forms, along with 
Word and Excel files, can be cataloged and 
converted to equivalent InfoPath forms or 
aggregated into a single flexible form. For 
example, an expense form converted to 
an InfoPath form will collect expense data 
from individual users, to be submitted to a 
form library. 

Figure 1 shows an InfoPath expense 
form that can look up current exchange 
rates, mileage allowances, and so forth, 


Expense Report 


Employee Name: Ryan Thomas Total:[^ $ 395,095 

Date Submitted: 10/6/2009 B 


Itemized Expenses 


Date 

Description 

Expense Type 

Mileage 

Receipt 

Currency 

Currency 

Amount 

Exchange 

Rate 

US Dollar 
Amount 

Mileage 

Receipt 

Receipt 

Exchange 
Rate receipt 

8/6/2009 S 

Lunch 

| MEALS z\ 


USD 



$125.34 

r 

W 

r 

8/7/2009 B 

Hotel 

| TRAVEL zi 


USD 



$179.89 

r 

W 

r 

8/7/2009 B 

Drive 

| GAS / AUTO z\ 

78 




$45.24 

w 

r 

r 

8/9/2009 3 

Lunch 

| MEALS z\ 



42.50 

1.05 

$44.63 

r 

w 

w 


3 Insert item 


Submit | 


Close Powered by: 0j. InfoPath-Forms Services 


Figure 1: An InfoPath form for gathering expense account information 
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CSL > Expenses > Tasks > Expense Report - Manager Approval 

Tasks: Expense Report - Manager Approval 


X Delete Item 


(3j This workflow task applies to spadmin-2009-06-30-2. 


[Manager Expense Report Approval 


1. If you approve this request, please select Approved, 
add appropriate comments, and click Submit. 

2. If you wish the initiator to make changes, do not select 
either checkbox, simply add comments and click Submit. 

3. If you wish to completely reject the request, select 
Reject, add appropriate comments, and click Submit. 

Approved: 


Rejected p 


Comments: 


Submit | 


Figure 2: Task to obtain manager approval for an expense report 


then calculate the amounts and automati¬ 
cally assign them as line items. The form 
can also look up existing user information, 
require explicit sign-off, and more. 

As expense reports are added to a form 
library, code can be attached to the library 
to look at the form data and adjust permis¬ 
sions as necessary. The code can extract 
specific data elements and apply that data 
to existing local or external applications 
based on accounting rules. Although this 
element isn't required, it adds significant 
options to the overall application and 
is a good place to start writing some 
lightweight custom code as part of the 
application. 

Approval. An out-of-the-box or cus¬ 
tom workflow is created to assign forms 
to a user's manager for approval, then 


finally to accounting 
for approval. A custom 
workflow can override 
existing task edit forms 
with custom InfoPath 
forms. Custom forms 
are valuable in their 
ability to collect and 
process custom data 
as users complete the 
approval tasks for their 
expense reports. Data 
can be as simple as a 
check box asking for 
additional verification, 
as Figure 2 shows, or as 
complicated as query¬ 
ing additional systems 
to look up and apply 
that data to the local 
expense report. 

To provide more functionality, you can 
easily build a custom web part that lets 
users attach digital receipts and proof of 
expenses to their expense reports. These 
files can be attached to specific line items 
on an expense report, as Figure 3 shows. 
Accountants play a large role in manag¬ 
ing data and can benefit from a custom 
dashboard that shows all expense data 
as individual line items, with appropri¬ 
ate attachments categorized into custom 
accounting codes for easier management 
and exporting. 

Connecting to external applications. 
As a bonus, custom code can be written 
from various components in the applica¬ 
tion to connect to external line-of-business 
systems. A common request is to export 
approved expense reports directly into an 


organization's accounting system via web 
services or additional connectivity options. 

Well Worth Trying 

Combining InfoPath and SharePoint gives 
non-software developers many options 
for collecting and managing data, beyond 
simply using SharePoint lists and metadata 
to create standard list collection forms— 
and all without writing a single line of code. 
Developers might also want to check out 
InfoPath's robust features and capabilities 
before they resort to using Visual Studio 
to build an ASP.NET web form or an entire 
new application. You can still add code to 
InfoPath behind partial classes to scale the 
application to fit your needs. 

InfoPath's learning curve isn't very steep, 
and you can jump right into using it. The 
basic functionality is as easy to learn as 
for Word and Excel. Microsoft's movement 
toward collaboration and server-based 
offerings in its Office suite, combined with 
SharePoint's features, make InfoPath a use¬ 
ful tool for achieving your business goals. 
SharePoint 2010 and InfoPath 2010 will 
combine even more integration and allow 
for more granular flexibility in terms of con¬ 
verting existing list forms to custom InfoPath 
documents quickly and easily. ^ 
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Name Txt Employee Name AccountingLink 

spadmin -2009-10-06-6 ! new Accounting 

AttachmentsUnk 

Attachments 

Accounting Currency 

US Dollar 

Dt Submit Date 

10/6/2009 

ExpenseTota! IDV 

350.47 24 

Title 

spadmin-2009-10-06-6. xml 

0 Add new document 

Accounting Expens Report Management 












Date Description Expense Cat. Expense Cat ID 

Mileage 

Rcpt Curr. 

Curr. Amount 

Ex. Rate 

Amount 

Mile Rcpt 

Rcpt Exch. Rate Rcpt 

Attachments 

8/6/2009 Lunch MEALS 215-800-80140 

0 


USD 

0 


0 

125.34 

No 

Yes No 


ADWPivotSheet.xIsx 

8/7/2009 Hotel TRAVEL 215-800-80130 

0 


USD 

0 


0 

179.89 

No 

Yes No 


ADWPivotSheet.xIsx 

8/7/2009 Drive GAS / AUTO 215-800-80115 

Expense Report Associated Attachments 

78 



0 


0 

45.24 

Yes 

No No 


ADWPivot.xIsx 

Attachment 


Attachment Category 





Expense Item 



ADWPivot.xIsx 


Mileage Receipt 






Drive 



ADWPivotSheet.xIsx 


Receipt 






Lunch, Hotel 




Figure 3: Custom web part with proof of expenses attached 
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Mind 

with Resources from Left-Brain.com 


Left-Brain.com is the online superstore stocked with 
educational, training, and career-development materials 
focused on meeting the needs of IT professionals like you. 



Featured Product: 

VM ware vSphere Training 

VMware vSphere Training courseware is appropriate for both new 
VMware administrators and those who are preparing for the VCP 
certification. Besides completely covering how to administer a VMware 
infrastructure, this course also reviews third-party solutions that are 
widely used by the virtualization community. Find out more about this 
course and other virtualization resources at Left-Brain.com 


windowsitpro.com/go/left-brain/vsphere 


*Ptus shipping and applicable tax. 
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NEW & IMPROVED 


■ Security ■ Systems Management 

■ Outlook ■ Windows 7 


Security Appliances 
for the SMB Market 

Cyberoam announced an extension 
to its Accelerator Series appliances, 
CR25ia and CR35ia. These two security 
appliances are designed for small busi¬ 
nesses to cope with global security risks, 
including viruses, worms, and malware. 
The CR25ia and CR35ia appliances have 
been designed to withstand the increas¬ 
ingly performance-intensive security 
requirements at branch offices. Features 
include stateful inspection firewall, VPN 
(SSL VPN & IPSec), gateway antivirus and 
anti-spyware, gateway anti-spam, IPS, 
content filtering, bandwidth manage¬ 
ment, and multiple link management. 
These appliances can be centrally 
managed through the Cyberoam Central 
Console. To learn more, visit www 
.cyberoam.com. 



PRODUCT 

Ipswstch's WhatsUp Gold Flow Publisher 


Traffic Monitoring Program 
Reduces Need for Hardware 

Ipswitch announced the availability of 
WhatsUp Gold Flow Publisher —a traffic 
monitoring and analysis solution that 
extends flow-based analysis to every seg¬ 
ment of the network. WhatsUp Gold Flow 
Publisher lets you understand the nature 
of traffic flows across your network, allow¬ 
ing you to drill down to the underlying 
causes of network congestion without 
expensive hardware probe deployments. 
WhatsUp Gold Flow Publisher enables 
flow monitoring for networks with 
non-flow capable devices—including 
switches, routers, firewalls, and servers. 

Flow Publisher is a small footprint 
software application that captures raw 
traffic from TAPs (Test Access Points), 
mirrored ports or directly from Windows 
host systems. It converts the raw traffic 


information into records delivering visibility 
into the traffic on every segment of the 
network. 

"Flow Publisher delivers in-depth traf¬ 
fic and flow visibility and analysis for every 
network, and for every customer through a 
simple, lightweight software-only solution," 
said Kevin Gillis, vice president of product 
management. "Armed with flow data from 
Flow Publisher, businesses of any size can 
now quickly pinpoint and resolve issues 
across their server or network infrastruc¬ 
ture. Integrating flow monitoring directly 
on critical application servers provides a 
view of traffic not previously available and 
allows for pinpoint analysis of application 
issues. No other solution offers this deploy¬ 
ment flexibility today." 

WhatsUp Gold Flow Publisher starts at 
$645 for a single license on a Windows server. 
To learn more, visit www.ipswitch.com. 


Recover Lost Outlook 
Messages and Files 

SoftAmbulance released SoftAmbulance 
Outlook Recovery, a new solution that 
recovers deleted or corrupted Microsoft 
Outlook files and databases. Outlook Recov¬ 
ery is able to repair messages, attachments, 
address books, and calendar entries. Outlook 
Recovery supports export of Outlook data 
to .PST, .OST, .DBF and .EML formats, so the 
recovered databases can be used with pro¬ 
grams other than Microsoft Outlook. Outlook 
Recovery is compatible with Windows 95, 

98, ME, 2000, XP, Vista, 2003 and 2008 Server. 
A single-user license costs $79.95.To learn 
more, visit www.softambulance.com. 

Send Fax Message Through 
Exchange 

serVonic has released an Exchange 2010 
Connector for IXI-UMS, a unified messag¬ 
ing solution that integrates fax, voice mail, 
SMS, and mobile access with Exchange. The 
client/server fax solution of the Olching- 
based software manufacturer is integrated 
into the Microsoft Exchange and Active 
Directory architecture via the IXI-UMS 
Exchange 2010 Connector. Changes, exten¬ 
sions of the schema, or installations at the 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro 


MARCH 2010 59 


































■ NEW & IMPROVED 


Paul’s Picks 



Exchange Server are not necessary. IXI-UMS 
also integrates with IBM Lotus Domino.To 
learn more, visit www.servonic.com. 

3PAR Offers Autonomic 
Storage Tiering 

3PAR announced 3PAR Policy Advisor for 
Dynamic Optimization, new software that 
adds further autonomic policy manage¬ 
ment and automation capabilities to 3PAR 
Dynamic Optimization for 3PAR InServ Utility 
Storage Servers. Policy Advisor works by 
analyzing how the InServ's virtual volumes 
use physical disk space, then the software 
makes adjustments to ensure optimal 
volume distribution and storage tiering 
across storage server resources. Policy Advi¬ 
sor builds on 3PAR Dynamic Optimization, 
an application that makes it easier to align 
application and business requirements with 
data service levelsoPolicy Advisor expands 
this capability through automation features 
that reduce storage administration time. 
3PAR Policy Advisor is available for free to 
3PAR Dynamic Optimization users. To learn 
more, visit www.3par.com. 

Universal Imaging Utility 
now on Windows 7 

Binary Resource announced a new version 
of Universal Imaging Utility (UIU), which 
includes new upgrades and features for 
compatibility with Windows 7. According 
to the vendor, the UIU is the only out-of- 
the-box product that works alongside 


popular cloning packages to create a single 
hardware-independent image that can be 
deployed to any desktop or laptop across 
an organization. The latest version includes 
a new OS-agnostic Discovery Tool that lets 
users select and isolate only those drivers 
that are applicable to their environment. 

The product also contains support for Mac- 
based Windows 7 users. According to Binary 
Resource, the UIU is the only hardware- 
independent solution that includes ongoing 
maintenance for the driver database. For 
more information about UIU or for a free trial 
download, visit www.binaryresource.com. 

Crack Passwords for Excel Files 

Many companies keep critical data on 
Excel spreadsheets that are often password 
protected, potentially leading to lost 
data. AccentSoft released Accent EXCEL 
Password Recovery 3.0, the latest version 
of its password recovery software for 
Microsoft Excel 97-2007 files. The new ver¬ 
sion offers password recovery up to ten 
times faster, expanded capabilities, and 
a refined graphic interface. Accent EXCEL 
Password Recovery 3.0 uses two unique 
technologies, Advanced Mask Composer 
and Advanced Dictionary Manager, for 
more effective mask and dictionary attacks 
that save you time on password recovery. 
Accent EXCEL Password Recovery 3.0 works 
with Windows 7, Vista, XP, 2000, and 95. One 
corporate license costs $40. To learn more, 
visit www.accentsoft.com. ^ 


www.winsupersite■com 

SUMMARIES of in-deptrr 
product reviews on Paul 
Thurrott's SuperSite for 
Windows 

Google Chrome 4 

PROS Super fast WebKit rendering engine is 
tops; excellent extensions infrastructure 

CONS Too many web browsers already 

RATING: ♦♦♦♦O 

RECOMMENDATION: If you're looking for 
the fastest, most reliable web browser out 
there, look no further—Google Chrome is it. 
And with Google Chrome 4, the online giant 
has added some much-needed functionality 
via its new extensions system, which provides 
access to useful and interesting add-ons with¬ 
out sacrificing application security or stability. 
Chrome wasn't too interesting last year, but 
this latest version is quickly becoming my 
number one choice. Still, we need to settle on 
one or two rendering engines and give web 
developers a break. 

CONTACT; Google • www.google.com 

DISCUSSION www.winsupersite.com/alt/ 
chrome4.asp 

Verizon Droid with Android 

PROS Fast Android-based device with free, 
turn-by-turn navigation; epic screen; basic 
Exchange compatibility 

CONS Lacks multi-touch "pinch"zoom; no 
support for Exchange security features 

RATING: ♦♦♦♦O 

RECOMMENDATION: The Verizon Droid is 
a capable smartphone based on the Android 
platform, with a pull-out hardware keyboard, 
fast microprocessor, and turn-by-turn navi¬ 
gation functionality that's free, unlike com¬ 
petitors'. It includes basic Microsoft Exchange 
support, though it doesn't support Exchange 
security policies or remote wipe capabilities. 
But it will win over a lot of converts. It's a bit 
rougher than the iPhone OS, but also more 
manly, with true multitasking capabilities and 
some hardware features (like a good digital 
camera with flash) that the iPhone lacks. If 
you don't mind a ride into the Wild West of 
technology, check out Droid. 

Verizon • phones.verizonwireless 
.com/motorola/droid 

DISCUSSION www.winsupersite.com/alt/ 
droid_android.asp 
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REVIEWS ■ 


HP StorageWorks X510 Data Vault 


The HP X51 0 Data Vault is the business- 
oriented version of the HP MediaSmart 
Server, reviewed by Paul Thurrott in early 
2009 (www.winsupersite.com/server/whs_ 
hp_2009.asp).The Data Vault looks just like 
the MediaSmart, aside from the name on 
the front, and it acts just like it as well, right 
down to running Windows Home Server 
(WHS). Relying on WHS is the Data Vault's 
big weakness for a business environment, 
because it's easy to use, but it isn't espe¬ 
cially configurable. 

I reviewed the 2TB Data Vault, which 
comes with two standard 1TB drives inside. 
Installing the Data Vault is just a matter of 
plugging in the power and Ethernet con¬ 
nections, then installing some software. 
WHS automatically backs up entire com¬ 
puters, other than swap files, temporary 
files, and the recycle bin. You can set a time 
range for when WHS will perform backups, 
but that's pretty much all the input you 
give to the unit. (The Data Vault is also 
compatible with the Time Machine backup 
software used by Macs, but I didn't test this 
feature.) 

The Data Vault doesn't use standard 
RAID technology. Instead, according to 
information from HP, all backup data 
is stored on two different drives. In my 
testing, however, I found WHS's data pro¬ 
tection features insufficient in the case of 
drive failure. I simulated the drives failing 
by pulling them out of the Data Vault. 
Pulling the system drive knocked the Data 
Vault out—I immediately lost my connec¬ 
tion to the WHS control panel, and the 
Data Vault wouldn't do anything but blink 
its lights at me until I turned the unit off, 
replaced the drive, and turned it on again. 
Pulling out the second drive didn't crash 
the Data Vault, but without it I couldn't 
access my existing backups or make new 
ones (the WHS control panel said that the 
backup service wasn't running until I put 
the drive back in). 

WHS takes data redundancy into 
account and manages to fit many more 
backups than would fit if it simply copied 
the source drives—when the contents of 
my test system didn't change, the addi¬ 
tional space used by a night's backup was 


negligible. To recover files 
from one of these backups, 
you select the backup in the 
WHS Connector. WHS makes 
the backup appear on your 
local system as an extra hard 
drive, and you can drag and 
drop files from there. 

HP's documentation claims 
all data is written to both 
drives, so a single drive failure 
probably wouldn't actually 
cause any data loss, but losing 
either drive meant I couldn't access 
my backups immediately. In a home 
environment, this probably isn't a 
problem, but in many business environ¬ 
ments, losing access to your data for the 
time it takes to get the Data Vault going 
again could be a problem. 

Because it runs WHS, the Data Vault can 
run add-in software and has a number of 
media streaming capabilities. I don't see 
these features being used in a business 
environment, but there's really nothing 
stopping you from doing so—the Data 
Vault has surprisingly powerful hardware 
(a 2.5GHz dual-core Pentium processor and 
2GB of RAM), so you'd be hard pressed to 
bog it down by streaming music. 

The Data Vault's hardware looks nice 
and is very small. It has room for four drives 
to fit inside, plus eSATA and USB connec¬ 
tions for extra drives. The build quality of 
the hardware is pretty good, but I found 
adding and removing drives to take a bit 
more force than I'd expect. Also, I couldn't 
fully remove the second drive from my 
review unit at all—I could pull it out far 
enough to disconnect the SATA and power 
connections on the back of the drive, but 
not actually take the drive out of the Data 
Vault. I assume this quirk is unique to my 
review unit, because I couldn't find any 
other reports of this problem online. 

If you're shopping for a backup solu¬ 
tion and you don't have an IT staff, the 
Data Vault is a good solution. If you're 


Zac Wiggy | zac.wiggy@penton.com 



comfortable 
installing software 

using a Windows wizard, you're probably 
qualified to install it. If your business is 
large enough to have even a single IT pro, 
however, you could probably come up 
with less expensive solutions (say, an old 
desktop PC with some backup software 
and a couple of hard drives in RAID 1) that 
do everything the Data Vault does. The 
Data Vault is a well thought out and capa¬ 
ble product for its target audience, but if 
you're reading Windows IT Pro , the chances 
are you're not in that audience. ^ 
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HP StorageWorks X510 Data Vault 

PROS: Easy installation and configuration; small 
size; powerful hardware; Mac support 

CONS: Limited configuration options; doesn't 
use RAID; if either drive fails, you can't access 
your backups; Windows Home Server doesn't 
seem to fit business environments 

RATING: ♦♦♦♦O 
PRICE: Starts at $699; $799 as reviewed 

RECOMMENDATION: For very small businesses 
without IT staff, the Data Vault is a good hands-off 
backup option. Shops with any IT staff at all, how¬ 
ever, can probably put together better solutions. 

CONTACT: HP • 800-334-5144 • www.hp.com 
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Data Robotics DroboPro 



IT departments are feeling the effects of 
a weakened economy. Dedicated, experi¬ 
enced IT staffs have given way to reduced 
workforces and lone admins working 
branch offices. But these overworked pro¬ 
fessionals are still tasked with the respon¬ 
sibility of keeping an environment healthy 
and running—and properly protected. It's 
easy, in such circumstances, to rely on quick 
backup methods such as USB hard drives 
or CD/DVDs, but you're doing your busi¬ 
ness a disservice if you aren't automating 
the process and using some kind of data 
redundancy. You need a device that's easy 
to configure and perhaps even fun to use, 
and that will provide comprehensive data 
backup for your environment. Enter Data 
Robotics' DroboPro. 

The DroboPro is a disk-management 
system that utilizes a proprietary data-pro- 
tection methodology called BeyondRAID, 
which provides the foundation for a unique 
storage experience that lets you dynami¬ 
cally add hard drives on the fly to instantly 
increase your storage capacity. Into its eight 
bays, you can plug disks from any manufac¬ 
turer and of any capacity to gain data pro¬ 
tection that boasts self-management and 
automatic healing. It's that easy. 

Diving into the DroboPro box, I was 
impressed by the attention Data Robotics 
has paid to the design of not only its prod¬ 
uct but also the packaging itself. I withdrew 
the black-wrapped DroboPro monolith 
from its box and could actually hear the 
booming crescendo of Strauss's Thus Spoke 
Zarathustra as I unveiled the sleek appliance. 
The unit itself is a glossy, black beauty— 
a squat, powerful block of processing 
power—and it comes accompanied by a 
handsomely packaged Drobo Dashboard 
CD-ROM and user guide, a power cable, and 
three connectivity cables (USB 2.0, FireWire 
800, and Ethernet). 

Behind its magnetic faceplate, the 
DroboPro offers eight 3.5" hard drive 
bays. You simply plug in any number of 
internal-type SATA hard drives (older IDE 
or ATA drives won't work), making sure the 


connections line up correctly, and perform 
the quick Drobo Dashboard software instal¬ 
lation. The DroboPro then begins its work 
of accepting and protecting your data. Plug 
in two or more drives, and you have redun¬ 
dant data protection. There's even optional 
protection for double drive failure, but of 
course that requires significant disk space. 

The Drobo Dashboard is exceedingly 
simplistic—perfect for the IT admin in the 
SMB or branch office who has 17 things to 
do at any moment. The DroboPro also uses 
a unique set of traffic-light-colored indica¬ 
tor lights, letting its user know at a glance 
what the unit is doing—green for healthy, 
yellow for caution (you'd better add a disk 
soon because DroboPro is running out of 
disk space), and red for failure (add or replace 
a disk now because you're not protected). 
After plugging a few 1TB and 750GB Western 
Digital hard drives into the system, I loaded 
a bunch of data onto the unit, watching 
its lights flash succinctly and watching the 
Drobo Dashboard communicate its status 
via a vivid pie graph and an illustration of the 
drive bays. After a few minutes, all data was 
protected and redundant across the drives. 

I opened a couple of data files and a 
media file, letting a video play during 
my testing, and simulated a hard-drive 
failure by removing one of three drives. 

I watched as the DroboPro processed the 
new situation—all the while showing no 
interruption in the data or media files. The 
unit had experienced a drive failure and 
had calmly informed me that Drobo can¬ 
not currently protect your data against hard 
drive failure. After plugging a new drive 
in, DroboPro took about three minutes to 


quietly duplicate the first disk's data and 
display its newly healthy status—still no 
interruption to the running programs. 

Note that the DroboPro isn't designed 
for shared storage; it's a single-server 
solution more ideal for the SMB than the 
multi-server enterprise. If you're famil¬ 
iar with Data Robotics'original Drobo, 
you might be disappointed to find 
that DroboShare isn't available on the 
DroboPro. If you need networked storage, 

I urge you to look to the company's more 
recent offering, DroboElite. 

Despite that shortcoming, DroboPro is 
extraordinarily easy to use and set up. It's 
not exactly a lightning-fast solution, but 
performance is very good considering the 
scalability and simple self-management 
DroboPro offers. It might just be the perfect 
solution for today's resource-strained 
small office—automated, easy-to-use, 
plug-and-play backup functionality in 

the form of a cool gadget. ^ 
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Data Robotics DroboPro 

PROS: Spectacularly easy to use; self-managing; 
auto-healing; double-disk-drive-failure 
protection; just plain cool 

CONS: Not terribly fast; single-server limitation 

RATING: ♦♦♦♦❖ 

PRICE: $1,499 ($2,125 as tested, bundled with 
five Western Digital hard drives) 

RECOMMENDATION: DroboPro is a perfectly 
positioned, easy-to-configure-and-deploy 
storage gadget for the SMB environment—but 
not if you need networked storage. 

CONTACT: Data Robotics • 866-997-6268 • 
www.drobo.com 
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REVIEW ■ 


Blade File Transfer System 2.3 


Those of us who live in areas that offer 
multi-megabit-per-second broadband 
Internet connections can easily forget that 
fast and reliable communication isn't the 
norm in many parts of the world. Some 
areas suffer with the vagaries of aged tele¬ 
phone networks and satellite links, which 
can make transferring large files difficult or 
even impossible. 

Blade File Transfer System 2.3 mitigates 
the problems of unreliable networks by 
letting you restart interrupted file transfers 
where they left off, which is a boon when 
you can't get continuous connectivity 
to a remote server. It sports other useful 
features, such as a web-client interface in 
addition to the native Windows client, a 
command-line utility that can synchronize 
directories while minimizing data transfers, 
and email notification of transfer status. 

Why not just use FTP? FTP is an insecure 
protocol that can open your server to 
hacker attacks. Although other secure file 
transfer solutions exist—such as FTP over 
SSL (FTPS) in Windows Server 2008's IIS 
7.0 and the restart-enabled open-source 
FileZilla (filezilla-project.org)—they lack the 
convenient web GUI supplied by Blade File 
Transfer System. 

Hard to Install But Easy to Use 

Installing Blade File Transfer System isn't 
for the faint of heart. The bundled installer 
merely extracts a minimal installer and a 
how-to PDF document describing post¬ 
installation steps, which are numerous. For 
example, you must manually set IIS directory 
permissions, generate and install an SSL 
certificate, and create an IIS application pool. 
The installer could automate these steps to 
greatly simplify the setup process and head 
off potential missteps. In addition to the 
post-installation steps, you must manually 
create users'download and upload folders. 

Once installed, however, Blade File Trans¬ 
fer System is straightforward to run. Users 
can install a native Windows client or access 
a web portal that downloads a .NET runtime 
file transfer utility. In both the Windows and 
web GUIs, the user simply selects files to be 
transferred and initiates the copy operation. 
This is where the system's fault tolerance 
comes into play. If the client's network 


connection is broken or if the server gets 
rebooted, Blade File Transfer System auto¬ 
matically restarts the file transfer from 
where it left off, without missing a byte. 

The Advantages 

On slow, unreliable networks, large file 
transfers could take hours or days—longer 
than anyone wants to sit around waiting. 
Blade File Transfer System has a convenient 
email notification feature that lets you 
know when a transfer completes or if a 
restart is required. Its command-line utility 
lets you synchronize files between a server 
and client, copying only the files that have 
changed, minimizing the amount of data 
that must be copied to maintain parallel 
file repositories. (This feature isn't available 
through either GUI.) 

Blade File Transfer System has a few 
other advantages, such as the ability to 
move files up to a terabyte in size, which 
is far larger than the files you can move 
with Microsoft's FTPS utility. In addition, 
the files will pass through most firewalls 
without special configuration requirements 
because the system uses SSL/Transport 
Layer Security (TLS) transport, which is also 
known as HTTP Secure (HTTPS) transport. 

The Disadvantages 

Blade File Transfer System has a couple 
negatives—and one is serious. If you 
neglect to install a digital certificate, it 
authenticates users and transfers files with¬ 
out encryption. More important, it doesn't 
warn you by sending a message to the 
client or by logging an error on the server. 
Nothing in the installation process forces 
you to install a certificate, which is an easy 
step to miss, especially given the minimal 
guidance about SSL provided in the instal¬ 
lation guide. This oversight contravenes 
enterprise-level security practices, which 
is to fail in a "safe" state. This oversight 
shouldn't be present in a product that 
claims data protection as a major feature. 
Even worse, the system fails to record in its 


audit log that encryption isn't operational. 
Even a basic web browser clearly depicts 
when a session is unencrypted. Blade File 
Transfer System should display the security 
status during transfers, log that status for 
every file moved, and alert users when 
data is being sent unencrypted. 

The second negative is a buyer's caveat: 
Blade File Transfer System requires separate 
CALs for each user (including web and 
command-line users) and comes bundled 
with only five CALs. This could be a deploy¬ 
ment limitation if you're looking for a way 
to interact with many customers in, for 
example, a tech support environment. 

Useful But Needs Work 

If you need to securely move large or 
numerous files on less-than-perfect 
networks or if you want to give your users 
a simple web-based file transfer interface, 
Blade File Transfer System is a useful solu¬ 
tion. However, the serious security flaw I 
found regarding unenforced encryption 
must be remedied before I can recom¬ 
mend it wholeheartedly. ^ 
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Blade File Transfer System 2.3 

PROS: Provides fault-tolerant file transfers for 
unreliable networks; offers a web client option, 
a command-line directory synchronization tool, 
and email notification 

CONS: Has a complex installation process and 
per-user licensing costs; requires a user-generated 
SSL certificate; fails to provide a warning for 
unencrypted transfers 

RATING: 44000 

PRICE: $784; $58 per CAL after five included 

CALs 

RECOMMENDATION: Blade File Transfer 
System works well at its mission of providing 
fault-tolerant file transfers, and its use of SSL/ 
TLS to secure transfers ensures simple and safe 
transit through firewalls. However, it's easy to 
inadvertently set up the system without encryp¬ 
tion enabled, and it doesn't warn you when files 
are transferred in plaintext. 

CONTACT: Blade • +64 4 976 8446 • 
www.blade.net.nz 
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Lenovo ThinkServer RD210 



The Lenovo ThinkServer RD210 (model 
3796-2CU reviewed) is a dual-socket sys¬ 
tem that pairs quad-core power with a 
tiny 1U form factor. The test server came 
equipped with one Intel Xeon E5540 
2.53GHz quad-core processor, 8GB of DDR3 
RAM, and two 300GB 10,000rpm SATA hard 
drives. In its maximum configuration, the 
system supports a total of 128GB of RAM 
and up to 3TB of storage. 

The ThinkServer RD210's front panel 
is configured quite differently from most 
1U rack-mounted units I've worked with. 

In addition to the standard two USB ports, 
the ThinkServer RD210 also boasts a front- 
mounted video port, a slim-line DVD-RW 
drive, a control panel with a slide-covered 
power button and warning light, and a 
unique pull-out diagnostic panel. This 
panel can definitely help you troubleshoot 
hardware errors without requiring you 
to remove the system from the rack. If a 
yellow warning light indicates a system 
problem, you can pull out the diagnostic 
panel for more detailed information about 
the error's source. A series of lighted indi¬ 
cators identifies various system warning 
locations, such as the CPU, fan, and power 
supply. 

The back of the ThinkServer RD210 pro¬ 
vides two integrated 1GB network adapt¬ 
ers, two USB ports, one integrated video 
adapter, one serial port, and one Inte¬ 
grated Management Module (IMM) port. 
There's room to install two additional NICs. 
Notably, there are no PS/2-style mouse or 
keyboard ports. Internally, the ThinkServer 
RD210 makes use of the Intel 5520 chip set, 
sports an integrated RAID controller, and 
provides two internal PCI Express (PCIe) 
slots for expansion: one 1x16 full-height 
half-length slot and one 1x16 low-profile 
slot. The system also has redundant hot- 
swappable 675W power supplies. 

You can purchase the ThinkServer 
RD210 with Windows Server 2008 or Server 
2008 R2 Standard or Enterprise edition. 

The system can also be preloaded with 
Server 2008 SBS Standard, Server 2008 EBS 
Standard, or Server 2008 EBS Premium. As 
an alternative to the Windows Server OS, 
the unit can also come preloaded with 
Novell's SLES for ThinkServer, with either 


Standard or Priority support. The server 
I tested came with Server 2008 R2 Stan¬ 
dard Edition. 

The ThinkServer RD210 is quite light 
and easy to install into the rack. The server 
takes a surprisingly long time to power 
up, though, requiring up to three minutes 
between the initial power-on to the time 
the POST screen appeared. During this 
time, the system performs numerous self 
tests and diagnostic checks. After turning 
the unit on, I was pleasantly surprised by 
how quiet it was. Most 1U servers are quite 
loud, requiring a lot of airflow to keep the 
unit cool. The RD210 produced about the 
same noise as a floor-mounted server— 
which is very little. I was also pleased to 
find that the system fully supports vir¬ 
tualization and can run both Microsoft's 
Hyper-V and VMware's ESX Server. Several 
competing 1U units don't support hard¬ 
ware virtualization. 

Overall, the unit's performance was 
impressive. I ran up to eight active Hyper-V 
VMs with above-average performance—on 
par with that of much larger 4U systems 
that I've previously tested. When equipped 
with dual quad-core processors, the system 
would provide outstanding performance 
as a small-scale virtualization host or as a 
web application server. 


The ThinkServer RD210 supports 
out-of-band management through its 
built-in IMM—a management controller 
chip that combines a service-processor 
feature, a video controller, and remote 
management. IMM lets you perform most 
basic systems management tasks, includ¬ 
ing system power-on and restart, system 
hardware monitoring, configuration of 
automated system restart, blue-screen 
capture, and boot-sequence modification. 

If you're looking for a 1U rack-mounted 
virtualization server, the Lenovo ThinkServer 
RD210 is an excellent choice. Its dual quad- 
core capability and support for up to 128GB 
of RAM deliver excellent performance and 

scalability in a very small form factor. ^ 
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Lenovo ThinkServer RD210 

PROS: 1U form factor; excellent performance; 
virtualization-capable; quiet 

CONS: No PS/2 mouse or keyboard ports 

RATING: 

PRICE: $4,149 as tested 

RECOMMENDATION: I highly recommend 
the quiet, capable Lenovo ThinkServer RD210, 
particularly as a small-to-midsized business (SMB) 
virtualization server. 

CONTACT: Lenovo • www.lenovo.com • 
866-968-4465 


Michael Otey | mikeo@teca.com 
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COMPARATIVE REVIEW 

Pair of 

PowerShell Editors 

Packa Punch 

Editors provide full-featured PowerShell 
development environments 

by Michael Otey 


T here's no doubt that Windows PowerShell is the future 
for Windows administrative scripting. Microsoft has 
adopted PowerShell as the scripting environment for 
a number of its products, including System Center Vir¬ 
tual Machine Manager (VMM) 2008, Windows Server 
2008 R2, Exchange Server 2007, and the upcoming 
Exchange Server 2010 release. Even so, in the past, the capabilities 
found in development tools for PowerShell have lagged behind 
those found in development tools for other scripting languages. 
For instance, not very long ago PowerShell scripting editors really 
only delivered color-coded syntax—they lacked other vital capa¬ 
bilities such as statement completion and debugging capabili¬ 
ties. A lot has changed over the past year, and the current crop of 
PowerShell editors provides full-featured PowerShell development 
environments. In this review, Ill look at two of the leading Power- 
Shell editors: iTripoli's Admin Script Editor (ASE) 3.6 and SAPIEN 
Technologies' PrimalScript 2009. Table 1 compares these products' 
features. For more information about some of the other choices for 
developing PowerShell scripts, see the sidebar "Other PowerShell 
Development Tools." 

Evaluation Criteria 

Modern editors should meet several criteria. They should support 
unlimited undo and redo, as well as provide intelligent help with 
a variety of scripting languages. In addition to support for mul¬ 
tiple scripting languages, you'll want to look at whether the editor 
provides templates for common coding constructs (e.g., For Next 
loops and common object creation) and code editing tools (e.g., 
color-coded keywords). 

Another important factor is support for code completion 
along the lines of Visual Studio's IntelliSense, where the editor 
can interactively display a drop-down box showing an object's 
methods and properties. Equally important is the ability to 
organize your files into projects and have multiple files open in 
different windows. Being able to perform block mode editing 
is another handy feature. Last but certainly not least, a good 
development environment should let you debug scripts by 
setting breakpoints, single stepping through code, and viewing 
and modifying the contents of variables. 


To see how ASE and PrimalScript 2009 stood up to these 
criteria, I used them to edit and debug a multi-file set of PowerShell 
scripts. In the past, I've used this set of scripts for product bench¬ 
marking and for testing several standalone PowerShell utilities. 

iTripoli's ASE 

ASE began as a VBScript editor and has been enhanced to support 
PowerShell. Besides PowerShell and VBScript, it supports Active 
Server Pages (ASP), Autolt, KiXtart, HTML, HTML Application 
(HTA), Windows command shell (.bat and .cmd), XML, XML 
Schema Definition (XSD), and Extensible Style Language (XSL). 
You can also use it to edit .ini and .reg files. ASE includes support 
for PowerShell debugging, 75 new Logon Script Builder templates, 
support for the Microsoft .NET Framework 3.51, and user-definable 
color schemes. 

ASE runs on Windows 2000 and later and requires the .NET 
Framework 2.0. However, ASE 3.6 doesn't support Windows 7 
(which was troublesome for testing, because Windows 7 is my pri¬ 
mary desktop) or Server 2008 R2. Windows 7 and Server 2008 R2 will 
be supported in ASE's next release. 

Installation and Editing 

Installing ASE was quick and easy, taking less than a minute. After 
the installation completes, you have the option to launch it. ASE 
features a multi-tabbed editor interface, as Figure 1 shows. The icons 
in the toolbar weren't standard and I didn't really like their look, but 
they were easy to get used to. 

Editing single scripts was easy—ASE provides virtually all of 
the basic script editing capabilities that you would want. It offers 
a full-featured editor with unlimited undo and redo, color-coded 
syntax, and IntelliSense-style code completion. By default, the 
editor showed line numbers, which can be useful for trouble¬ 
shooting PowerShell scripts. A handy ChangeLog feature helps 
you document script modifications. Right-clicking any visible 
PowerShell cmdlet displays help for that cmdlet at the bottom of 
the screen. 

Unfortunately, ASE didn't want to respect the formatting of my 
PowerShell scripts; it kept attempting to adjust the indentation of 
my code to match what it wanted. ASE doesn't provide support 
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| Table 1: Comparison of the Editors'Features 

| Feature 

| Admin Script Editor (ASE) 3.6 

| PrimalScript 2009 

Multi-file projects 

N 

Y 

Multi-file editing 

Y 

Y 

Color-coded syntax 

Y 

Y 

IntelliSense-style code completion 

Y 

Y 

Bookmarks 

Y 

Y 

Code snippets 

Y 

Y 

Text string search in multiple files 

N 

Y 

Line numbers 

Y 

Y 

Block cut-and-paste 

N 

N 

Debugging 

Y 

Y 

Multiple breakpoints 

Y 

Y 

Single stepping 

Y 

Y 

File comparison 

Y 

Y 

Integration with source control programs 

N 

Y 

Languages supported 

PowerShell, VBScript, Windows 
command shell (.bat and .cmd), ASP, 
Autolt, HTA, HTML, INI, KiXtart, REG, 
XML, XSD, and XSL 

PowerShell, VBScript, JScript, Windows command shell (.bat and 
.cmd), ActionScript, Adobe Flex, ASP, ASP.Net, ASP PowerShell, 
Autolt, Autolt3, AWK, C, C#, C++, CFML, CH, CSS, Cold Fusion, 

Flash Communication Server, Flash JSAPI, HTA, HTML, IDM, 

INI, InstallScript, Java, Java Server Pages, JavaScript, KiXtart, 
LotusScript, Lua, Netscape LiveWire, Pascal, Perl, PHP, Python, 

Rebol, REG, Resource Script, REXX, Ruby, SQL, System Policy Editor, 
Tel, Visual Basic .NET, WinBatch, WSC, WSH, XML, and XSLT 

Advanced features for PowerShell 

Script Packager, ScriptForm Designer, 
and built-in ADSI, Database, Script, 
WMI, and XML Wizards 

Script Packager 


for block cut-and-paste. It also doesn't 
support multi-file projects. 

Writing New Scripts 

ASE's built-in tools make writing new 
scripts easy. A set of vertical tabs on the 
right side of the screen provides access to 
a set of wizards that help you write Power- 
Shell code. The built-in wizards include 
the ADSI Wizard, Database Wizard, Script 
Wizard, WMI Wizard, and XML Wizard. 
There are also custom wizards you can plug 
into the editor, such as the Registry Wizard 
and Uninstall Wizard. These wizards are 
exceptionally useful and powerful, and 
they can definitely slash the time required 
to write new scripts. You just need to pick 
the task you want to perform, and the wiz¬ 
ard writes the required PowerShell code 
into the editor. The wizards also support 
VBScript. 

Although the ASE wizards would be a 
real benefit to a Windows administrator 
who isn't all that familiar with the various 
object libraries, there is one minor irritation. 
I found it a bit too easy to inadvertently close 
the wizard windows, and there was no way 
to restore the default setup. 
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ASE offers ScriptBits, a small set of 
code templates for PowerShell, VBScript, 
and KiXtart. You can create your own 
ScriptBits and add them to ASE's standard 
collection. 

Running and Debugging 

When I initially ran some scripts, I encoun¬ 
tered signing errors, which I didn't expect. 
The default signing settings were set to 
Restricted. ASE wouldn't let me change 
these settings until I restarted the program 
using the Run as administrator option. After 
making the change, ASE executed Power- 
Shell scripts like I expected. The scripts' out¬ 
put was directed to an Output pane shown 
at the bottom of the editing window. 

ASE provides excellent debugging 
support. Clicking the Active Debugger 
icon starts the PowerShell script debug¬ 
ger. The debugging pane, which you can 
see at the bottom of Figure 1, shows the 
local variables, script output, watched 
variables, and call stack. The debugger 
lets you set multiple breakpoints by click¬ 
ing in the right margin of the editing 
window. Hovering the mouse over a 
variable displays its contents. 


Advanced Features 

With the availability of Microsoft's free Win¬ 
dows PowerShell Integrated Scripting Envi¬ 
ronment (ISE) and other free PowerShell 
scripting editors, a PowerShell development 
environment needs to offer features that 
go beyond basic editing and debugging. 
ASE offers many advanced features that go 
far beyond plain editing and debugging. 
One advanced feature that I really liked 
is the built-in ScriptForm Designer. Many 
times you want to couple your scripts with 
simple UI components, and the ScriptForm 
Designer enables you to do just that for both 
PowerShell and VBScript. The ScriptForm 
Designer can really enhance the usability of 
your scripts by providing them with a GUI. 
One of the other cool features found in ASE is 
the ability to package your scripts as execut¬ 
ables. ASE also has support for code signing, 
as well as the ability to compare files. 

Editions 

Three different editions of ASE are avail¬ 
able: the $99 Standard Edition, the $199 
Professional Edition, and the $299 Enter¬ 
prise Edition. The Standard Edition pro¬ 
vides the essential editing capabilities and 


We're in IT with You 


www.windowsitpro.com 






POWERSHELL EDITORS 



code-generation wizards. The Professional 
Edition adds debugging, script packaging, 
and the Logon Script Builder. The Enterprise 
Edition adds a script deployment console, an 
advanced query builder, and the ScriptForm 
Designer. The product doesn't have a man¬ 
ual, so only online help is available. You can 
download a fully functional 45-day trial of the 
ASE Enterprise Edition at www.adminscript 
editor.com/editor/download.asp. 

Overall, I found ASE to be an excellent 
PowerShell editor. Unfortunately, it wasn't 
compatible with Windows 7. However, 
ASE's real strength is in the additional tools 
and advanced features such as the wizards, 
script packager, and ScriptForm Designer. 


Admin Script Editor (ASE) 3.6 

PROS: Excellent editing features; many powerful 
code-generating wizards; provides a form¬ 
building tool; supports script packaging 

CONS: No support for projects; code editor 
doesn't match the indentation of the current 
document; Windows 7 isn't supported 

PRICE: $99 (Standard Edition); $199 (Professional 
Edition); $299 (Enterprise Edition) 

RATING: ♦♦♦♦O 

RECOMMENDATION: As long as you don't 
need Windows 7 support, this editor is a 
great choice for administrators looking for a 
PowerShell development environment. 

CONTACT: Tripoli • 866-263-0774 • 
www.itripoli.com 


SAPIEN's PrimalScript 2009 

PrimalScript 2009 also started as a VBScript 
editor that SAPIEN enhanced to support 
PowerShell. Some of the important new 
features in the PrimalScript 2009 release 
include the Object Browser, integrated con¬ 
nections to MSDN and Google, an integrated 
command window, support for running 
scripts with elevated privileges, and support 
for Windows 7. Besides Windows 7, Primal- 
Script 2009 is supported on Server 2008, 
Windows Vista SP1, Windows Server 2003, 
and Windows XP SP2. The development 
system is recommended to have a minimum 
of 1GB of RAM and the .NET Framework and 
Windows PowerShell installed. PrimalScript 
2009 provides support for 50+ languages, 
including PowerShell, VBScript, JScript, 
Windows command shell (.bat and .cmd), 
Visual Basic .NET, ASP.NET, Java, Adobe Flex, 
Perl, HTML, and XML. 


Other PowerShell Development Tools 

editing products that should be avail¬ 
able by the time this review is published are Idera's PowerShell Plus 3.1 and Quest Soft¬ 
ware's PowerGUI Pro MobileShell edition. The latest releases of these products weren't 
available at the time that this review was written. You can find more information about 
PowerShell Plus 3.1 atwww.idera.com/Products/PowerShell/PowerShell-Plus.You can find 
more information about PowerGUI Pro MobileShell edition at dmitrysotnikov.wordpress 
com/2010/01/12/mobileshell-powershell-prompt-in-a-browser. 

In addition, there are a number of very capable free PowerShell editors available on the 
market. They include Microsoft's new Windows PowerShell Integrated Scripting Environment 
(ISE), PowerGUI, and Shell Tools' PowerShell Analyzer. 

The Windows PowerShell ISE is part of Windows PowerShell 2.0, which was first included with 
Windows Server 2008 R2 and Windows 7. In addition, 32-bit and 64-bit versions of PowerShell 
2.0 can be downloaded from Microsoft's website (support.microsoft.com/kb/968929) for 
other Windows OSs.The Windows PowerShell ISE offers a tabbed editing interface with color- 
coded syntax. It doesn't provide IntelliSense-style code completion or code snippets, but it 
does provide support for PowerShell debugging. 

PowerGUI was the first popular graphical PowerShell editor. Quest Software originally devel¬ 
oped PowerGUI, but the company later released it as freeware. PowerGUI provides a multi- 
tabbed interface, IntelliSense-style PowerShell prompting, code snippets, and an integrated 
debugger. I've used PowerGUI for many of my own PowerShell development projects. You 
can find out more about PowerGUI in "Features of PowerGUI Script Editor," January 2009, 
InstantDoc 100758. You can download PowerGUI from www.powergui.org/downloads.jspa. 

Shell Tools'PowerShell Analyzer is a different kind of PowerShell development product. It offers 
a graphical editing environment and code completion but doesn't provide a graphical debug¬ 
ger. PowerShell Analyzer's set of"vizualizers"letyou inspect objects returned from PowerShell 
commands. You can download PowerShell Analyzer from www.powershellanalyzer.com. 

InstantDoc ID 103482 
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Installation and Editing 

Installing PrimalScript 2009 was effortless, 
taking less than a minute. PrimalScript 
provides a multi-tabbed editor, which you 
can see in Figure 2.1 found the PrimalScript 
editor to be intuitive and easy to use. Its 
interface is very similar to that in Visual Stu¬ 
dio, and I preferred PrimalScript's look and 
familiar icons over ASE's interface. 

PrimalScript provides a full-featured edi¬ 
tor with unlimited undo and redo, color- 
coded syntax, and IntelliSense-style code 
completion, which is called PrimalSense. 
I really like PrimalScript's Clipboard Ring, 
which lets you copy multiple code sections to 
the clipboard, then choose to paste different 
pieces into different sections of your script. 

By default, the PrimalScript editor shows 
line numbers. Pressing F1 while your cursor is 
over any of the PowerShell cmdlets displays 
a help pane for that cmdlet at the bottom of 
the PrimalScript editing window. This editor 
doesn't support block cut-and-paste, but it 
does support multi-file projects. However, 
I don't really care for the way projects are 
associated with workspaces. To me it seems 
like an extra and unnecessary layer. But 
PrimalScript's handy Find in Files feature 
lets you search for a text string in multiple 
files, which is useful when working with 
multi-file projects. 

Writing New Scripts 

PrimalScript has a more limited set of wiz¬ 
ards than ASE for generating new Power- 
Shell scripts. PrimalScript provides the ADO 
Wizard, ADSI Wizard, Logon Script Wizard, 
and WMI Wizard. However, the wizards 
generate VBScript or fScript code but not 
PowerShell code. PrimalScript provides an 
extensive set of code snippets and sam¬ 
ples for PowerShell and many of the other 
supported languages. 

Running and Debugging 

Running scripts in PrimalScript worked as 
expected. I didn't need to change any code 
signing settings. The output of each script 
was displayed in the Output window, which 
you can see at the bottom of Figure 2. 

The debugging of PowerShell scripts 
with PrimalScript was basic but functional. 
However, I couldn't set a breakpoint by 
clicking in the margins like I expected to be 
able to. Instead, I had to toggle breakpoints 
using the F9 key. Running the scripts in 
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$category=" LogicalDisk." 

$perfcategory = New-Object System . Diagnostics . PerformanceCounterCategory ($category) 
$instance="C:" 

$counters=$perfcategory .getcounters ($instance) 

write ("{0} performance counters for {1}" -f $category , $instance) 
foreach ($counter in {counters) { 

$value= (New-Object System . Diagnostics . PerformanceCounter "LogicalDisk." , $counter . ci 
write ("{0} = (1)" -f {counter . countername , {value ) 

> 




' 


Variables 


► 
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category = LogicalDisk 

perfcategory = System.Diagnostics.PerformanceCounterCategofy 
instance = G 

counters = System.Diagnostics.PerformanceCounter System.... 


Call Stack Variables 


LogicalDisk performance counters for C: 
% Free Space = 25.66843 
Free Megabytes = 19575 


NUM ?CRL Line 29, Col 1 


Figure 2: PrimalScript 2009's Ul 

debug mode worked well, and there were 
no signing errors or other issues. A Set Argu¬ 
ments option lets you set up command-line 
arguments for the scripts being debugged. 
The debugger allows single stepping, and the 
script variables' contents are displayed in a 
Variables window. I wasn't able to hover the 
mouse over a variable and see its contents, 
nor was I able to change its contents. 

Advanced Features 

PrimalScript's advanced features were more 
limited than ASE's. PrimalScript provides a 
Script Package feature that you can use to 
deploy your scripts as executables. In addi¬ 
tion, PrimalScript can be integrated with 
source control programs, such as Microsoft's 
Visual SourceSafe or SAPIEN's ChangeVue. 
Other useful features include built-in code 
signing and the ability to compare files. 

Editions 

Unlike previous versions of PrimalScript, 
which offered a bewildering array of edi¬ 
tions, there's only one edition of Primal- 
Script 2009. I found this to be a welcome 
change. PrimalScript 2009 offers full online 
help, but I found many topics such as 
snippets were missing. A more complete 
manual is provided as a PDF file that's 
installed along with the product. You can 
download a fully functional 45-day trial 
of PrimalScript 2009 at www.primaltools 
.com/products/info.asp?p=PrimalScript. 



PrimalScript 2009 

PROS: Excellent editing capabilities; 
extensive language support; easy 
script execution and debugging; supports script 
packaging 

CONS: Can't set breakpoints with the mouse; 
incomplete online help; wizards don't generate 
PowerShell code 

PRICE: $299 

RATING: ♦♦♦♦O 

RECOMMENDATION: This is an excellent script¬ 
ing editor, especially if you need to work with a 
wide variety of languages. 

CONTACT: SAPIEN Technologies • 707-252-8700 
or 866-774-6257 • www.sapien.com 

Editor's Choice 

Both ASE and PrimalScript are excellent, and 
they beat the heck out of developing Power- 
Shell scripts with Notepad. However, the 
editor's choice for this comparison is Primal- 
Script 2009. Its interface is more to my liking. 
Although it lacks the more advanced code¬ 
generation tools, it provides project support 
and extensive samples, and its debugging 
(albeit rudimentary) is quite workable. With 
that said, I've written code for years, so I've 
worked with multiple scripting technologies 
and languages. Windows administrators not 
familiar with WMI, ADSI, and PowerShell 
would probably find ASE's wizards to be 
more important—as long as they don't need 
Windows 7 support right now. ^ 
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THE ^ 

Evolution of 


by Jason Bovberg 


A new decade is a fine time to take a step back, examine market trends, and try to get a 
sense of where we ; re headed. It's no secret that the economy hasn't been kind to the 
tech sector—and that holds true for the networking segment. We're in an era of layoffs, 
outsourcing, limited resources, and squashed budgets. As a result, companies find them¬ 
selves needing to do more with less. Gone are the days when IT pros would have the happy 
approval from upstairs to throw out old stuff and buy all-new technology. Today, compa¬ 
nies need to optimize what they already have, or they need to find the cheapest solutions possible. 

For these reasons, we're seeing a rather vivid evolution in the way both SMBs and enterprises 
approach their basic networking goals. We're seeing a financially motivated return to basics, but at 
the same time we're seeing certain inevitable technological breakthroughs that, because of financial 
restraints, are facing caution despite their supposed inevitability. What's on the networking horizon? 


A weak 
economy 
has changed 
the way you 
perceive your 
network 


Doing More with Less 

Recently, Gartner found that an increasing number of network managers are concerned with proactively 
preventing network performance problems. "The general consciousness," says Network Instruments' 
Michael Bower, "has gone back to the root level. Fewer people are simply replacing network equipment 
that's not working. Now, they're making more of an effort to dive into their systems and actually see 
what's causing problems." 

But at a time when IT departments are shrinking, leaving companies with limited resources with 
which to tackle network-monitoring tasks, how are people keeping up with the challenges of their in- 
place technologies? The answer is that the average IT pro is moving more toward entry-level monitoring 
tools and away from complex monitoring. SolarWinds' Sanjay Castellino says, "Folks today just want 
visibility into their network. They might not have the time or knowledge necessary to run an expensive, 
sophisticated tool, and they certainly no longer have a team of dedicated network engineers. They have 
15 jobs to do, so they just want one simple tool that lets them get awareness into their environment." 

Another technology that falls into this area is the WAN accelerator, which has seen remarkable 
growth over the past year. Bower says, "Imagine I have a water hose, and I turn it on and spray my car. 
I'm only getting so much PSI. But if I pump it into a pressure tank and crank up the PSI, I can get a lot 
more water through that same thickness of pipe." The same basic concept applies to WAN acceleration, 
which offers a big benefit to those trying to squeeze the most out of their existing network hardware. 
These devices offer an immediate return on investment (ROI) and are simple to implement. As more 
companies are consolidating servers and more users are working remotely, the need for WAN accelera¬ 
tion will increase. 


Desktop Virtualization and the Rise of 10GbE 

In a strained economy, the world of networking isn't seeing huge leaps forward, but it is seeing continued 
maturation of existing technologies, and one of those technologies is virtualization. Helping virtualiza¬ 
tion along, again, is the fact that networking teams are looking for ways to save time and money in their 
everyday processes. Castellino thinks we've seen only the tip of the virtualization iceberg, even though 
a huge percentage of the industry has attained at least some level of virtualization. "Last year saw a lot 
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of experimentation. This year, people are 
taking it mainstream." 

The increased use of mobile devices 
for both business and personal use is also 
driving IT pros to consider virtual desktops as 
an easy way to secure and manage access to 
company data and applications. According to 
Bower, "Virtualization of the desktop is big. In 
a situation where you have a limited number 
of servers, but large numbers of laptops or 
notebooks, there's a definite cost benefit in 
letting a user bring his or her own computer 
to work rather than buying and maintaining 
a corporate asset. And if you're involved in 
a merger/acquisition—very common these 
days—desktop virtualization allows work¬ 
forces to be more simply merged. One com¬ 
pany's systems can be quickly integrated with 
the existing desktops of another company. 
Or, if your company is reducing size, you can 
restrict access to corporate assets with just a 
couple quick clicks." 

Virtual Desktop Infrastructure (VDI) is a 
surging networking trend that requires sig¬ 
nificant network bandwidth. Preparing an 
infrastructure to handle that bandwidth is a 
consideration for organizations evaluating 
VDI, and it's one reason why we'll also see a 
rise in 10Gb Ethernet (lOGbE) adoption. 

Many believe that lOGbE is the only way 
to get such jobs done, particularly as lOGbE 
technologies get faster and cheaper. In the 
virtualization era, in which servers deal with 
massive amounts of data behind the scenes, 
the sturdy backbone of lOGbE bandwidth 
will be essential. 

Videoconferencing and UC 

The economy is a driving force behind 
another networking trend: rethinking the 
way employees collaborate. More than ever, 
companies are seeing the need to adopt 
videoconferencing solutions on a large scale. 
Videoconferencing provides a nifty alterna¬ 
tive to air travel—particularly now that 
increases in network-bandwidth capacity 
have made it a smoother, more viable com¬ 
munication method. 

"Video is coming online," says Bower. 
"It's easier and easier to do with HD moni¬ 
tors, and a lot of good, lower-level solutions 
are available now, increasing adoption. 
We're seeing a lot of small office/home office 
(SOHO) implementations, using the tech¬ 
nology for collocation and conferences." The 
question of latency and jitter remains in the 
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equation, however. "Data is very forgiving, 
but voice and video are not!" 

In general, communications technologies 
continue their gradual drift to the unified 
communications (UC) ideal. "Over the past 
few years," says Bower, "UC has evolved 
from a concept into a true communications- 
management platform." The time is upon us 
when we'll no longer have a disparate group 
of technologies such as VoIP, videoconfer¬ 
encing, instant messaging (IM), and email, 
but rather single UC platforms incorporat¬ 
ing everything. Implementation of these 
platforms—from such companies as Cisco 
and Microsoft—will increase as businesses 
seek cost-effective forms of collaboration. 

Is IPv6 Inevitable? 

We're seeing articles in the media—yes, even 
in this magazine—about the inevitable rise 

In this economy, 
the general 
consciousness has 
gone back to the 
root level. 

of IPv6 in a networking environment that's 
seeing its current method of IP addressing 
(IPv4) surge toward depletion. And yet, 
although IPv6 is cropping up in some outly¬ 
ing experiments and in some products, it's 
just not surfacing in a meaningful way. Will 
this new decade see a true migration to the 
addressing scheme that many people today 
see no reason for and just don't want to 
mess with? In a word—yes. 

According to Windows IT Pro contrib¬ 
uting editor John Howie, "IPv6 is indeed 
inevitable. There are simply too many devices 
that want to communicate with each other 
for IPv4 to keep working. The explosion in 
mobile devices is certainly driving this. Cur¬ 
rently, we use a number of technologies, 
such as NAT and Teredo, to make it all work 
in IPv4, but we can't escape the fact that the 
pool of available IPv4 addresses is dwindling 
very fast." (We'll likely run out in two or three 
years.) 

IPv6 offers many benefits beyond the 
capabilities of IPv4, such as faster process¬ 
ing of packets at the router and built-in 
security and extensibility. Very soon, we'll 


start seeing applications that demand IPv6. 
(Witness the new DirectAccess technology 
in Windows 7 and Windows Server 2008 
R2.) Also, don't forget that the latest world¬ 
wide cable-modem standards support IPv6, 
and even if you have only IPv4 available 
from your ISP, you're probably using IPv6 
encapsulated in IPv4, thanks to the 6to4 
technology built in to Windows 7, Windows 
Server 2008, and Windows Vista. Heck, most 
modern Linux distributions enable 6to4 by 
default, and Apple is even supporting IPv6 
in its Macs. And governments around the 
world—including the US government and 
the European Union (EU)—have received 
mandates to migrate their systems to IPv6 
and help spur global adoption. 

Howie says, "Deploying a corporate IPv6 
network alongside an IPv4 network is easy 
once your networking infrastructure sup¬ 
ports it. Most Microsoft products support 
IPv6 natively, include Exchange Server, IIS, 
Internet Explorer (IE), and Office. 

Mark Minasi, senior contributing editor 
for Windows IT Pro, cuts to the chase: "I find 
the whole IPv6 debate ridiculous, actually. 
It's simple, really: Some time in the next few 
years, we'll run out of IPv4 addresses. Period. 
There are only four billion IPv4 addresses 
on a planet with seven billion inhabitants, 
a billion organizations, and countless cell 
phones. Have you ever struggled with your 
ISP to get a couple of static IP addresses? 
In IPv6, you'll never, ever, ever run out of 
addresses. You'll never worry about subnet¬ 
ting again. You shake off some of the dust 
of 30 years of ancient Internet protocols 
built for a dial-up world. We love the phrase 
'information superhighway,' but IPv4 is a dirt 
road. IPv6 adds the pavement." 

Poised for Success 

We're at an economic low point, but the 
market's current positioning—doing more 
with less, smartly considering new bedrock 
technoliges—will only help us come out 
strong and efficient on the other side. ^ 
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Systems 

Management 

Make efficient use of your IT resources 
by ZacWiggy 

Editor's Note: Information in this Buyer's Guide comes from vendor representatives and resources and is meant to jump-start, not replace, 
your own research; also, some products might have been left out, either as an oversight or from lack of vendor response. 


I t occurred to me that systems management software isn't 
necessary for a business, strictly speaking. It's possible 
that businesses of any size could operate with IT teams 
manually performing every operation that keeps their 
computers running. But it's easy to imagine the thousands 
of man-hours that would be wasted trying to run a busi¬ 
ness this way, and how much IT staff businesses would need. 

To keep your IT team from spending all day on routine tasks, 
you probably want systems management tools, and in the world of 
Windows IT pros, when you mention systems management, you 
think of Microsoft's System Center suite. System Center is the stan¬ 
dard by which all other products must be judged, and Microsoft's 
offering is no slouch. Every business is different, however, and 
there's plenty of room for competing products that do more than 
System Center, or just do things differently. 

This buyer's guide and table are focused mainly on larger suites 
that compete with System Center, but don't forget that many compa¬ 
nies offer smaller products that do a few systems management tasks. 
You're generally going to pay a lot less for these, so if you have only 
a few tasks that routinely bog down your IT department, consider a 
product that focuses on those tasks instead of a comprehensive suite. 

If you've decided to go with a suite, you still have some big 
decisions. There's a wide range of licensing costs and terms for 
different products, so do your research. Different products also 
have big differences in their areas of focus, so you might want to 
seek out someone who's already deployed a specific product and 
see if it can do what your company needs. 

Major Features 

When you're considering a systems management suite, look at 
trends that are likely to affect your business. Server, desktop, and 
application virtualization are all becoming more common in IT 
departments. Virtualization technology is advancing quickly, so 
even if you don't need it now, the odds are good that you'll want 
something virtual soon, and that you'll want your systems manage¬ 
ment suite to manage it. 


Another trend to watch is the use of non-Windows computers. 
Other OSs are generating a lot of interest, and smartphones are 
computers in their own right. Figure out what technologies you're 
going to be using for the next few years before you choose a sys¬ 
tems management suite. 

You should also make sure to consider deployment and 
automation. The benefits of managed deployment are fairly 
obvious—the less work it is to get new systems going, the better. 
Automation's advantages might be a little harder to picture, but 
if your systems management solution is able to take over routine 
tasks, such as reallocating resources when you've got a full hard 
drive, with little or no input from your IT staff, the rewards can be 
substantial. 

Know Yourself 

A systems management suite is potentially a very expensive pur¬ 
chase, so it's vital that you get a thorough understanding (and 
demonstration) of a systems management suite's abilities before 
committing. Also make sure that you know what System Center 
offers, and whether your existing contracts with Microsoft will 
make System Center inexpensive. 

As with any large IT purchase, it's important to know what 
you're being offered by a vendor. It's much more important, 
however, to know exactly what you have, what you need now, 
and what you're likely to need in the future. If you forget to 
account for your company's plans, you could choose a systems 
management solution that can't handle the direction your com- 
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pany is moving. ▼ 
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■ SYSTEMS MANAGEMENT 


Company Name 

Product 

Price 

Windows 

Server OSs 
Managed 

Windows Desktop 
OSs Managed 

Non-Windows 

Server OSs 

Managed 

Non- 

Windows 

Desktop OSs 

Managed 

Symantec 

801-995-7881 

800-441-7234 

www.symantec.com 

Altiris Total 
Management 

Suite 

$220 with 

Essential 

Maintenance 

Windows Server 
2008 R2, Server 
2008, Server 

2003, earlier 

Windows 7, Vista, XP, 
earlier 

Red Hat Enterprise 

Linux 3,4,5, 5.1; 

Novell SUSE Linux 
Enterprise Server 9,10; 
Sun Solaris 9,10 Sparc; 
HP-UX 11.11,11.23, 
11.31; IBM AIX5.2, 

5.3, 6.1 

Mac OS X 

10.3-10.6 

Absolute Software 

604-730-9851 

www.absolute.com 

Absolute Manage 

$20/license 

None 

Windows 7, Vista, XP, 
earlier 

None 

Mac OS 

ScriptLogic 

800-813-6415 

www.scriptlogic.com 

Desktop Authority 

Starts at $39 per 
seat; additional 
options $10.30 
per seat; quantity 
discounts 
available 

Windows Server 
2008 R2, Server 
2008, Server 

2003, earlier 

Windows 7, Vista, XP, 
earlier 

None 

None 

IS Decisions 

+335 59 41 42 20 

www.isdecisions.com 

WinReporter 

Starts $50 per 
server, $4 per 
workstation 

Windows Server 
2008 R2, Server 
2008, Server 

2003, earlier 

Windows 7, Vista, XP, 
earlier 

None 

None 

DeskCenter USA 

516-442-1508 

www.deskcenterusa 

.com 

DeskCenter 

Management 

Suite 

Several pricing 
models available 

Windows Server 
2008 R2, Server 
2008, Server 

2003, earlier 

Windows 7, Vista, XP, 
earlier 

None 

None 

Novell 

703-663-5565 

800-529-3400 

www.novell.com 

Business Service 
Manager 

Starts at 
$100,000 

Windows Server 
2008 R2, Server 
2008, Server 

2003, earlier 

Windows 7, Vista, XP, 
earlier 

Linux, UNIX 

Linux, UNIX 

NetlQ 

888-323-6768 

www.netiq.com 

AppManager 

Pricing depen¬ 
dent on configu¬ 
ration 

Windows Server 
2008 R2, Server 
2008, Server 

2003, earlier 

Windows 7, Vista, XP, 
earlier 

Linux, UNIX 

Linux, UNIX 

Quest Software 
959-754-8000 

800-306-9329 

www.quest.com 

Quest 

Management 

Xtensions 

Starts at $49 

Windows Server 
2008 R2, Server 
2008, Server 

2003, earlier 

None 

HP-UX, AIX, Solaris, 

Red Hat, SUSE, 

Ubuntu, AS400, 
z/OS, and more 

MAC, Linux, 

Solaris, and 

more 
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Hardware 
and Software 
Inventory/Asset 
Management 

User 

Manage¬ 

ment 

Server OS 
Deploy¬ 
ment 

Desktop 

OS Deploy¬ 
ment 

Application 

Deployment 

Patch 

Manage¬ 

ment 

Centralized 
Monitoring and 
Alerting 

Automated 

Problem 

Resolution 

Help Desk 
Integra¬ 
tion 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

No 

No 

Yes 

Yes 

Yes 

Yes 

No 

Yes 

Yes 

Yes 

No 

No 

Yes 

Yes 

No 

No 

Yes 

Yes 

Yes 

No 

No 

No 

Yes 

No 

No 

No 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

Yes 

No 

No 

No 

No 

Yes 

Yes 

Yes 

No 

No 

No 

No 

No 

No 

Yes 

Yes 

Yes 

Yes 

No 

No 

No 

Yes 

Yes 

Yes 

Yes 

Yes 
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INDUSTRY BYTES 


■ Exchange 2010 ■ Free Tools 


INSIGHTS FROM THE INDUSTRY 


Microsoft's Astrid McClean Discusses Exchange 2010 


Recently I had the chance to speak with 
Astrid McClean, senior technical product 
manager on the Exchange team at Micro¬ 
soft. I asked her some of the questions 
that I've been hearing from readers, and 
her answers get well beyond the hoopla. 

Do they clear up every hesitation for you? 
Dive into the interview to discover that for 
yourself. 

Q: What is the recommended upgrade 
path from Exchange 2003 or Exchange 
2007? And why is there no in-place 
upgrade option? 

One of the major reasons that we don't 
have an in-place upgrade in this version is 
that we've actually significantly changed 
the mailbox database schema. It's some¬ 
thing we don't talk about a lot, but a lot 
of the I/O improvements we got were 
from changing that database schema. 

And that basically means that you need 
to do a move mailbox to get mailboxes 
between versions. So that's one of the 
reasons that we don't have an in-place 
upgrade. 

We know that we still do have a lot 
of customers running Exchange 2003, 
and a lot of those customers will be at a 
point where they need to replace their 
server hardware. So while they can't 
do an in-place upgrade, we really try to 
make it as easy as possible to streamline 
the deployment experience. And I don't 
know if you've seen our Exchange 2010 
Deployment Assistant—we released that 
recently to give people some streamlined 
steps so that they can choose where 
they're upgrading from, whether it's 2003 
or 2007, and you just answer a few simple 
questions about what features you're 
using, and it gives you some step-by-step 
instructions about how to actually do the 
deployment. 


Q: Does the assistant cover how to 
migrate to the cloud or to a hybrid cloud/ 
on-premises Exchange set up? 

No, not at this time. Right now, the only 
Exchange 2010 cloud solution we're run¬ 
ning is actually for our Live@edu program, 
which is for our education customers. So for 
the general, more commercial customers, 
we'll be looking at upgrading our Exchange 
Online to Exchange 2010 later on next 
year. Once that's in place, that's certainly an 
option for people as well. 

Q: How does Exchange 2010's built-in 
archiving compare to third-party 
archiving solutions? What was your 
intent for adding this feature? 

The initial intent for adding that feature was 
really to provide our Exchange customers 
with a way to get all of the data from their 
PST files—which cause a range of head¬ 
aches—back under the control of Exchange. 
So from a user-experience point of view, 
they have this one place where they can 
get their data. It's a familiar user experience. 
And from the administration side of things, 
they've got one set of tools that can manage 
their data. We know that around 80 percent 
of our Exchange customers don't have any 
archiving solution at all—their solution is typ¬ 
ically PST files. So really, the personal archive 
is a way to get that data into Exchange and 
get it into a managed environment. 

So in terms of, I guess, comparison with 
other archiving products, there's probably 
a lot of things that we don't do the same 
way. The personal archive in Exchange 2010 
might not be suitable for companies that 
have really complex compliance scenarios 
or regulations, but for a lot of companies 
out there that are using PSTs, it's an ideal 
way to get that data back under the control 
of Exchange. 


Q: One of the most exciting new features 
in Exchange 2010 is the Database Avail¬ 
ability Group (DAG) as a means of high 
availability. What do Exchange adminis¬ 
trators who have become adept at man¬ 
aging Exchange clustering with previous 
versions need to know to quickly lever¬ 
age DAGs? 

This is really an evolution of the continuous 
replication that we introduced in Exchange 
2007. So we had CCR and SCR [cluster con¬ 
tinuous replication and standby continuous 
replication]. So for those that are familiar 
with that way of keeping a database copy 
updated using log shipping, a lot of those 
same principles still apply. But one of the 
big differences now is that everything hap¬ 
pens at a database level. The other thing 
we've done is we're now combining the 
onsite and offsite replication into a single 
solution. It scales up to 16 servers and that 
means you can configure up to 16 copies of 
each database. And because that failover is 
at the database level, it means the failover 
time is really reduced down to 30 seconds 
or less. 

Q: The ability to do incremental deploy¬ 
ment seems like a huge selling point. 
What are you hearing from people about 
that point? 

People are thrilled with that. In the past, if 
they had a mailbox server and they sud¬ 
denly decided they needed to cluster it, 
they've had to break down the server, move 
all the mailboxes off, create the cluster. 

So the idea that Exchange can do all that 
work for you, and already move the server 
to a Database Availability Group, and it'll 
manage the cluster in the background, is 
certainly something that our customers are 
very exciting about because it just makes 
the whole process so much easier. 


www.windowsitpro.com 


We're in IT with You 


Windows IT Pro 


MARCH 2010 75 







■ INDUSTRY BYTES 


Q: New features in Exchange 2010 such 
as DAGs and the personal archives are 
certainly going to change the storage 
demands on Exchange organizations. 
How can Exchange administrators calcu¬ 
late their storage needs for an Exchange 
2010 deployment? 

Well, we have a calculator for them! In the 
past, we had something called the Exchange 
Storage Calculator. But we've just released 
an update to that that we're now calling the 
Exchange 2010 Mailbox Server Role Require¬ 
ments Calculator. And we've changed the 
name of it because it's gone beyond just 
calculating storage. So you give it some 
inputs around how big your organization is 
and how big your mailboxes need to be and 
that sort of stuff, and basically the calculator 
will give you things like your mailbox data¬ 
base configuration, how many transaction 
logs will get generated, what the memory 
and CPU requirements are for your mailbox 
servers, what the recommended storage 
architecture is. And if it's a highly available 
configuration, it will do things like tell you 
how many active databases per server there 
are as well as, for instance, if you have a single 
failure, then you have this number of active 
databases per server, or if there's a double 
failure, it increases to this number of active 
databases per server. So, it's going to be a 
great tool, especially for larger environments, 
to calculate both storage requirements as 
well as the mailbox server requirements. 

Q: Although Role-Based Access Control 
(RBAC) looks like a powerful permissions 
model, some of our readers are worried 
that it will be complicated to use. What 
do they need to know to get up and run¬ 
ning quickly? What are the benefits of 
RBAC for administrators? 

The feedback that we've had on this one is 
once people get the general concept of how 
it works, they're very excited by it because 
suddenly they have a lot more control and 
it's a lot easier to manage. One of the things 
we changed from the beta to the final 
release is the way that we manage the RBAC 
roles. And it was precisely changed to make 
it easier for IT admins. So we introduced the 
concept of the management group. There 
are eleven of these that are built in, and 


these cover the main delegation scenarios 
that we think a lot of organization will use. 

A role group will have a number of roles 
associated with it. It's things like discovery 
management or UM management or server 
management or Help desk.These are really 
common scenarios. In part of the Exchange 
Control Panel, we've given a really easy-to-use 
interface for the administrator to go in and 
assign a user or a group to one of these role 
groups, and as soon as they're assigned, 
they have those permissions. So for the vast 
majority of our customers, that's all they'll 
ever have to do. 

Q: Are there additional benefits for end 
users from this system? 

Absolutely. One of the things we've done 
is this whole end user self-service idea. So 
from OWA, when you go to the Options but¬ 
ton, you go to the Exchange Control Panel. 
And that has grown from not only the OWA 
options but also this self-service portal. And 
if you've been give permissions, it means 
that you're able to do things like join a distri¬ 
bution group or track a message. Or if you're 
a compliance officer or discovery-manage¬ 
ment person, that's the same interface you'd 
use to do your multi-mailbox search. 

Q: With Exchange 2007, there was 
initially a lot of resistance to Windows 
PowerShell and the idea of Exchange 
management through the command-line 
or scripting. Do you have a sense of what 
users are saying now? 

What we're seeing now is the use of 
PowerShell both across Exchange and across 
other products is growing, so people are 
certainly becoming more comfortable 
with the concept of managing a server 
using PowerShell. But we've tried to put as 
many of the common tasks into the GUI 
as possible. So whether it's the Exchange 
Management Console or whether it's the 
Exchange Control Panel, the majority of the 
work can be done with some sort of GUI 
management tool. 

But because all of those tools use remote 
PowerShell on the back end, we've also 
allowed you to do things in the Exchange 
Management Console where you can see 
what command is going to run so that if you 


do want to use that command later as part 
of a script, or you want to understand what's 
happening, you have the power to do that. 
We've made some enhancements to the 
Exchange Management Console this time 
around to make that easier. In fact, there's a 
PowerShell log that will log everything that 
happens in Exchange Management Console 
so you can actually see what's going on. 
We've tried to make it easier for people to 
make that link between the two if they need 
to go to PowerShell to do anything that 
they've been doing through the GUI tools. 

Q:The Outlook Web App (OWA) improve¬ 
ments in Exchange 2010 seem to make 
it a true rival for the Outlook desktop 
client. Do you anticipate this situation 
affecting upgrades to Outlook 2010, 
which isn't available yet? 

I don't think it will stop people upgrading. 
But it gives organizations more choice. So 
what we're finding is a number of organiza¬ 
tions where they may not have given their 
users email access at all because they don't 
all have a PC or they're working on shifts 
and have to share PCs—it now gives them 
a far greater option to give their people a 
browser-based tool to connect to. So it's 
really about making sure that organizations 
have a choice about which tool they want 
to use, and in making that choice they're 
not losing functionality, which is why you'll 
see a lot of the functionality in OWA is 
reflected in Outlook 2010. So it's about mak¬ 
ing sure that we give as much parity across 
all of our clients as possible. 

Q: What features are available in OWA 
2010 and, eventually, in Outlook 2010 
that you won't get with Outlook 2007? 

I don't know if I have a complete list, but the 
major ones would be conversation view, the 
new conversation view that's actually driven 
from Exchange. MailTips is something that's 
only available in those two. The personal 
archives is only accessible in OWA or 
Outlook 2010. The calendar sharing options 
where you can share privacy information 
with other organizations. They're probably 
the major ones. 

—B.K. Winstead 
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A New Year's Resolution for 2010: Go European 
and Save Money 


If the economy's getting better, it's doing it 
slowly, and certainly not perceptibly for most 
of my friends and clients in the IT biz. Budgets 
are tight and the specter of "the cloud" looms 
over many of our jobs. So, it's time to ask— 
what to do? I've got a thought: go European. 
Or, put simply, make better use of free stuff. 

When I'm speaking to a large IT pro 
audience in the U.S. and I ask, "How many of 
you build VBscripts with WMI and/or ADSI 
to automate management tasks and Active 
Directory jobs?", I'll be lucky to get five per¬ 
cent of my audience raising their hands. In 
contrast, the same question in a European 
venue will often get a positive response from 
25 to 33 percent of the attendees. Ask about 
some truly horrible but free-in-the-box tool 
like Windows 2000's Remote Installation Ser¬ 
vice (RIS), and almost no one in the room in 
the U.S. or Canada says they're using it, but 
ask in a European group and you may get 
20 to 25 percent of the room responding. In 
short, our friends from Galway to Moscow 
seem to have a tradition of trying to squeeze 
the most out of what they paid for Windows. 

And heck, in a rotten economy, I say: let's 
do what they do. After all, if we can save a 
few kilobucks on software licenses, then the 
folks in the boardroom might be a little less 
inclined to ship our jobs out to the cloud. 

Deploy with WAIK and MDT 

Rolling out zillions of Windows desktops 
and servers can be a time-consuming job, 
so many of us have turned to any number 
of really cool and useful deployment tools 
that, unfortunately, can be sort of expen¬ 
sive. Prior to Vista, Microsoft's automated 
deployment tools were"minimalistically hor¬ 
rible/to coin a phrase. But as of November 
2006, Microsoft has been offering a useful 
tool for scripting unattended Windows 
installs (Windows System Image Manager or 
WSIM), a disk imaging tool along the lines 
of Ghost (ImageX), a free cut-down version 
of Windows for use in doing offline deploy¬ 
ment and file system repair (Windows 
Pre-execution Environment or WinPE), and 
a multicasting server-based tool that ties 
those capabilities up with a few nice GUIs 


(Windows Deployment Services or WDS). 
You can find most of those tools in a free 
download called the Windows Automated 
Installation Kit (WAIK), and you can also 
download (again, for free) a system called 
the Microsoft Deployment Toolkit (MDT) 
that attempts to organize and simplify using 
those tools. I haven't worked all that much 
with the MDT, preferring instead to just hack 
out solutions with the WAIK tools, and I can 
testify after using them for the past three 
years that they are worth getting to know. 


Disaster Recovery 

Let's say you're happy with your deploy¬ 
ment stuff. Well then, how about disaster 
recovery? What if you had to recreate an 
important Windows server that died without 
warning, despite your best efforts—how 
long would it take and 
how difficult would it 
be? Well, if that server 
was a Server 2008 or 
Server 2008 R2 system, 
then you'd find bring¬ 
ing that server back to 
life an absolute snap, 
if you employed a 
backup tool that first 
appeared in Vista called 
Complete PC backup. 

If a Vista, Server 2008, 
or Windows 7 machine 
dies, then you can actu¬ 
ally grab another piece 
of hardware (that need 
not be identical to the 
now-dead system's hard¬ 
ware), boot a recovery or 
installation disk, restore 
the entirety of the dead 
machine's state in about 
an hour, and it's like it 
never left. Yes, there have 
been some great third- 
party tools that could do 
this for a long time, like 
Acronis'wonderful Truel- 
mage tools, but, well, 
they cost money, while 


in-the-box Windows counterparts have zero 
marginal software license cost and are very 
nearly as good. 

Let me close by answering the question 
that is probably on many of your minds: 
are these solutions truly free? Well, as I said, 
they're free from the point of view of extra 
software license costs, but using them will 
entail some time for IT pros to learn to use 
them. But to be honest, neither technology 
is as hard as learning some sort of script¬ 
ing tool, and my experience has shown me 
that seeing how to use them pays back 
dividends in time and money. But those are 
just two of my suggestions; take a little while 
and see if there's not something useful—and 
free—in your IT shop's future. ^ 

—MarkMinasi 
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virtualization Pro 

2010 SUMMIT & EXPO 


Steve Don Michael Dan John Alan Edwin Jack 

Riley Jones Otey Holme Savill Sugano Yuen Lo 


Whether you're already working 
with virtualization or the 
technology is in your future plans, 
the VirtualizationPro 2010 Summit & 
Expo is your destination for 
learning everything you need to 
deploy, configure, secure, 
optimize, and manage 
virtualization technology. 


Participate in technical in-depth sessions and workshops on: 

• VDI and desktop virtualization • High availability and 

• Server virtualization disaster recovery 

• Application virtualization *The dynamic data center 

• Virtualized storage * And more! 

Get the whole picture on the Microsoft Hyper-V and 
VMware solutions, including product comparisons 


www.VirtualizationProSummit.com 

800-438-6720 or 203-400-6121 
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■CTRL+ALT+DEL 

by Jason Bovberg 



Ways 

to IOu>w W h ett ,er 

YouHawy 01 ^ 

ByCurtSpanburgh 



1. The office is filled with olive-green phones. 

2. You open up a workstation case and it looks as if a cat perished inside and 
decomposed to dust. 

3. CD-ROMs melt in the server room when the office A/C is turned off at night. 

4. The administrator makes all his own cables. 

5. You see a box of 5 W floppy disks on the shelf in the admin’s cubicle. 

6. The admin says he knows about backup software but doesn’t know how to 
restore. 

7. All workstations have public IP addresses. 

8. A150' Ethernet cable is strung to the boss's office from a four-port switch by 
the receptionist’s desk. 

9. The server’s hard drives sound like crickets. 

10. When you ask for the backup tapes, the admin takes you to a supply closet and 
says, “You mean these?” 


Information. 


$ 


Sorry, sending the message didn't work. 


Something didn't go quite right. Ask the developer to make a better error message 


v 


OK 


Figure 1: At least it's polite! 


Figure 2:1 don't have time for clarity! 


Microsoft PowerPoint 


PowerPoint found content in FY10 Messaging and Scenarios - Draft - 051809.pptx that it did not understand. 
This content has been removed and cannot be recovered. 

You should review this presentation to determine whether any content was unexpectedly changed or removed 


OK 



MHUSYQUR 


I used to work for a major PC manufacturer as a phone tech. One day, a user called, asking I Email your industry humor, \ 

me to replace her DVD burner. When I asked her what was wrong with it, she said, "There's I scandalous rumors, funny screenshots, 1 

no place to put the disk."Trying to understand the problem, I asked, "Do you mean the tray 1 favorite end-user moments, and I 
won'topen?"Sheresponded,"ltopens,butthere'snoplacetosetthedisk."laskedhertoex- \ IT-related pics to rumors@ / 
plain what she meant. "Well, all disk drives have a big circle inside where you place the disk, \ windowsitpro.com. If we use your / 
right? On this machine, it's just flat." Puzzled now, I asked her to tell me the make and model \ submission, you'll receive a / 
of the system, to which she responded, "OK, hold on a sec, the numbers are upside-down for m jt 

some reason." I palmed my face. "Ma'am, are there four little rubber things on the top of your 
computer?"She said, "Yes." I advised flipping over the computer to fix the DVD drive. : : 

—Alex 
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additional mailing offices. POSTMASTER: Send address changes to Windows IT Pro, 221 E. 29th St., Loveland, CO 80538. SUBSCRIBERS: Send all inquiries, payments, and address changes to 
Windows IT Pro, Circulation Department, 221 E. 29th St., Loveland, CO 80538. Printed in the USA. BPA Worldwide Member. 
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The servers that pay 
for themselves in 


fintel) 


(inteu 

Xeon 


inside 


3 months. 


Powerful. 

Intelligent. 





ALTERNATIVE THINKING ABOUT SERVERS: 


Next generation HP ProLiant servers. 
11:1 consolidation and rapid ROI. 


• Achieve 95% reduction in energy and cooling costs 

• Realize savings of up to 90% in software license fees 

• Reduce the number of servers to manage by 90% 

Technology for better business outcomes. 



Up la two Intel* Xeon' Processor 5500 Series 
) 44 GB maximum memory footprint 

Now supports up to 8 small form loctor high performance SAS 
hard drives or up lo 6 large form factor SATA hard drives 
HP Insight Control cuts management costs by up to $48K per 
users over 3 years* with integrated manogemenl suite 



See how HP in novation is delivering ra dical ROI for companies 
like yours athp.com/servers/roi21 or call 1-866-545-0296. 



"■VVhilQ Paper sponsored by HP, Coining Business Value and SOI Vvilh HP Insight Corrird, 0218069, May 2009, ^Prices shown ora HP Dirad prices; reseller Ord! rated prices, may vary. Prides shown am 
sukj&cl Jo change end do net Include applicable stale asd beat: laws or shipping teraciptete's; address. Otters cannol be combined wiih anytolhc* alter or discount and ora good while suppSes lost, Alt feoSgred 
oilers available in Lt.S, only. Savings based txi HP published list price dF cudiguratoorriliir equivalent [DL Server S2,,S24-S725 Instant savings » SmorfBuy price dt £2,099.} Financing available through 
Howteltfockord Financial Services Company and lb jubsidioriB lHPiFSQ loqtfdilied commercial cetisomers to Ihe U S, end it subject to credit approval end roeculton of standard HPf SC cbcumerlalion, Prices 
shown ora based on a lease 48 mon6his in term with 0 lair market value purchase apian of the end dl ihe term and ora valid through January 31.2010. Other rales apply tor other terms and (ransacf ion fillet. 
Financing is evaibbte on. tajnsreiipns greeter than S3J9. Other charges end rasfcrlclbnj may apply. HPfSC reserves trig rigbl to change Of cancel ibis program of any time wjlhoyf notice- Financing qvoibbfe 
through Htrwfetl Packard Financial Services Company and Bs subsidiaries {HPFSQ ta quoMwt ewnmerckd customers in the US and: Canada and Ls subbed lo credrl approval and execution ol slandord HPF$C 
cbcumentolton. Offer valid through January 31,2010 on transactions in the United Stole* between SI,500 and £150,000 USO and In Canada briUssn 55,000 CAD and $150,000 CAD, Zero percent 
tfnandhg assumes ItonSodiQn is documented aft a lease with a Si DOdal-teiin purchase aptfcm [of beat CCwrlry equivalent), assuming lessee is ndl required lo pay any nominal Ond-aFterm purchase price 
as ihe end of she lease lean and disregarding any changes* payabte by tesstK other than rani payments such as maintenance, ta*«> lee* and shipping. This offer cannot be combined wiih any dber rebate, 
discOurVI or prdmdlsan Wj|haul prior apprewaf by HP and HPF5C. Rates are based" an CuStanwP&Crtxdil traling, financing terms,, offering types, equipment type and options, Not all HP products are eligible lof 
She 0% base rate. Not dl customers may qualify tor shew rales, Other restrictions. may apply. HflFSC reserves (he right tochange or cancel this program at any time without notice. Intel, Ihe Intel logo, Xbon 
and Xwn hsida ara trademarks af Intel Corporation in Ihe U,S. and olher Countries. 

<>2009 HeWtebPackard Development Company, L P The totorniatign coatoined herein is subject to change withod notice. 





















Microsoft 



Productivity J< Efficiency. 

ftrny time, frny f>i(\ce. 


Don't let anyone tell you that freedom comes at the cost of control. With Windows® 7 and Windows Server® 20O8 r users get 
more powerful search, smoother multitasking and the ability to work from virtually anywhere without a VPN. Add System 
Center and the Microsoft H Desktop Optimization Pack, and you get more automated PC management and increased control 
over your environment. Control for you and flexibility for your users. Optimized may not be a strong enough word. 


To learn more about how desktop optimization can drive efficiencies go to itseverybodysbusiness.com/optimize 




Snap this tag to get the latest 
news on desktop optimization 
or text OPTIMIZE to 21710 


Get the free aop for vo ur phone at 


http://gettag.mobi 


Because it's everybody's II business 


i. 































